1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include "smack.h" 45 46 #define TRANS_TRUE "TRUE" 47 #define TRANS_TRUE_SIZE 4 48 49 #define SMK_CONNECTING 0 50 #define SMK_RECEIVING 1 51 #define SMK_SENDING 2 52 53 #ifdef SMACK_IPV6_PORT_LABELING 54 DEFINE_MUTEX(smack_ipv6_lock); 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 struct kmem_cache *smack_rule_cache; 59 int smack_enabled; 60 61 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 62 static struct { 63 const char *name; 64 int len; 65 int opt; 66 } smk_mount_opts[] = { 67 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 68 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 69 }; 70 #undef A 71 72 static int match_opt_prefix(char *s, int l, char **arg) 73 { 74 int i; 75 76 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 77 size_t len = smk_mount_opts[i].len; 78 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 79 continue; 80 if (len == l || s[len] != '=') 81 continue; 82 *arg = s + len + 1; 83 return smk_mount_opts[i].opt; 84 } 85 return Opt_error; 86 } 87 88 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 89 static char *smk_bu_mess[] = { 90 "Bringup Error", /* Unused */ 91 "Bringup", /* SMACK_BRINGUP_ALLOW */ 92 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 93 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 94 }; 95 96 static void smk_bu_mode(int mode, char *s) 97 { 98 int i = 0; 99 100 if (mode & MAY_READ) 101 s[i++] = 'r'; 102 if (mode & MAY_WRITE) 103 s[i++] = 'w'; 104 if (mode & MAY_EXEC) 105 s[i++] = 'x'; 106 if (mode & MAY_APPEND) 107 s[i++] = 'a'; 108 if (mode & MAY_TRANSMUTE) 109 s[i++] = 't'; 110 if (mode & MAY_LOCK) 111 s[i++] = 'l'; 112 if (i == 0) 113 s[i++] = '-'; 114 s[i] = '\0'; 115 } 116 #endif 117 118 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 119 static int smk_bu_note(char *note, struct smack_known *sskp, 120 struct smack_known *oskp, int mode, int rc) 121 { 122 char acc[SMK_NUM_ACCESS_TYPE + 1]; 123 124 if (rc <= 0) 125 return rc; 126 if (rc > SMACK_UNCONFINED_OBJECT) 127 rc = 0; 128 129 smk_bu_mode(mode, acc); 130 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 131 sskp->smk_known, oskp->smk_known, acc, note); 132 return 0; 133 } 134 #else 135 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 136 #endif 137 138 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 139 static int smk_bu_current(char *note, struct smack_known *oskp, 140 int mode, int rc) 141 { 142 struct task_smack *tsp = smack_cred(current_cred()); 143 char acc[SMK_NUM_ACCESS_TYPE + 1]; 144 145 if (rc <= 0) 146 return rc; 147 if (rc > SMACK_UNCONFINED_OBJECT) 148 rc = 0; 149 150 smk_bu_mode(mode, acc); 151 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 152 tsp->smk_task->smk_known, oskp->smk_known, 153 acc, current->comm, note); 154 return 0; 155 } 156 #else 157 #define smk_bu_current(note, oskp, mode, RC) (RC) 158 #endif 159 160 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 161 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 162 { 163 struct task_smack *tsp = smack_cred(current_cred()); 164 struct smack_known *smk_task = smk_of_task_struct(otp); 165 char acc[SMK_NUM_ACCESS_TYPE + 1]; 166 167 if (rc <= 0) 168 return rc; 169 if (rc > SMACK_UNCONFINED_OBJECT) 170 rc = 0; 171 172 smk_bu_mode(mode, acc); 173 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 174 tsp->smk_task->smk_known, smk_task->smk_known, acc, 175 current->comm, otp->comm); 176 return 0; 177 } 178 #else 179 #define smk_bu_task(otp, mode, RC) (RC) 180 #endif 181 182 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 183 static int smk_bu_inode(struct inode *inode, int mode, int rc) 184 { 185 struct task_smack *tsp = smack_cred(current_cred()); 186 struct inode_smack *isp = smack_inode(inode); 187 char acc[SMK_NUM_ACCESS_TYPE + 1]; 188 189 if (isp->smk_flags & SMK_INODE_IMPURE) 190 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 191 inode->i_sb->s_id, inode->i_ino, current->comm); 192 193 if (rc <= 0) 194 return rc; 195 if (rc > SMACK_UNCONFINED_OBJECT) 196 rc = 0; 197 if (rc == SMACK_UNCONFINED_SUBJECT && 198 (mode & (MAY_WRITE | MAY_APPEND))) 199 isp->smk_flags |= SMK_INODE_IMPURE; 200 201 smk_bu_mode(mode, acc); 202 203 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 204 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 205 inode->i_sb->s_id, inode->i_ino, current->comm); 206 return 0; 207 } 208 #else 209 #define smk_bu_inode(inode, mode, RC) (RC) 210 #endif 211 212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 213 static int smk_bu_file(struct file *file, int mode, int rc) 214 { 215 struct task_smack *tsp = smack_cred(current_cred()); 216 struct smack_known *sskp = tsp->smk_task; 217 struct inode *inode = file_inode(file); 218 struct inode_smack *isp = smack_inode(inode); 219 char acc[SMK_NUM_ACCESS_TYPE + 1]; 220 221 if (isp->smk_flags & SMK_INODE_IMPURE) 222 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 223 inode->i_sb->s_id, inode->i_ino, current->comm); 224 225 if (rc <= 0) 226 return rc; 227 if (rc > SMACK_UNCONFINED_OBJECT) 228 rc = 0; 229 230 smk_bu_mode(mode, acc); 231 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 232 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 233 inode->i_sb->s_id, inode->i_ino, file, 234 current->comm); 235 return 0; 236 } 237 #else 238 #define smk_bu_file(file, mode, RC) (RC) 239 #endif 240 241 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 242 static int smk_bu_credfile(const struct cred *cred, struct file *file, 243 int mode, int rc) 244 { 245 struct task_smack *tsp = smack_cred(cred); 246 struct smack_known *sskp = tsp->smk_task; 247 struct inode *inode = file_inode(file); 248 struct inode_smack *isp = smack_inode(inode); 249 char acc[SMK_NUM_ACCESS_TYPE + 1]; 250 251 if (isp->smk_flags & SMK_INODE_IMPURE) 252 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 253 inode->i_sb->s_id, inode->i_ino, current->comm); 254 255 if (rc <= 0) 256 return rc; 257 if (rc > SMACK_UNCONFINED_OBJECT) 258 rc = 0; 259 260 smk_bu_mode(mode, acc); 261 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 262 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 263 inode->i_sb->s_id, inode->i_ino, file, 264 current->comm); 265 return 0; 266 } 267 #else 268 #define smk_bu_credfile(cred, file, mode, RC) (RC) 269 #endif 270 271 /** 272 * smk_fetch - Fetch the smack label from a file. 273 * @name: type of the label (attribute) 274 * @ip: a pointer to the inode 275 * @dp: a pointer to the dentry 276 * 277 * Returns a pointer to the master list entry for the Smack label, 278 * NULL if there was no label to fetch, or an error code. 279 */ 280 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 281 struct dentry *dp) 282 { 283 int rc; 284 char *buffer; 285 struct smack_known *skp = NULL; 286 287 if (!(ip->i_opflags & IOP_XATTR)) 288 return ERR_PTR(-EOPNOTSUPP); 289 290 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 291 if (buffer == NULL) 292 return ERR_PTR(-ENOMEM); 293 294 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 295 if (rc < 0) 296 skp = ERR_PTR(rc); 297 else if (rc == 0) 298 skp = NULL; 299 else 300 skp = smk_import_entry(buffer, rc); 301 302 kfree(buffer); 303 304 return skp; 305 } 306 307 /** 308 * init_inode_smack - initialize an inode security blob 309 * @inode: inode to extract the info from 310 * @skp: a pointer to the Smack label entry to use in the blob 311 * 312 */ 313 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 314 { 315 struct inode_smack *isp = smack_inode(inode); 316 317 isp->smk_inode = skp; 318 isp->smk_flags = 0; 319 mutex_init(&isp->smk_lock); 320 } 321 322 /** 323 * init_task_smack - initialize a task security blob 324 * @tsp: blob to initialize 325 * @task: a pointer to the Smack label for the running task 326 * @forked: a pointer to the Smack label for the forked task 327 * 328 */ 329 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 330 struct smack_known *forked) 331 { 332 tsp->smk_task = task; 333 tsp->smk_forked = forked; 334 INIT_LIST_HEAD(&tsp->smk_rules); 335 INIT_LIST_HEAD(&tsp->smk_relabel); 336 mutex_init(&tsp->smk_rules_lock); 337 } 338 339 /** 340 * smk_copy_rules - copy a rule set 341 * @nhead: new rules header pointer 342 * @ohead: old rules header pointer 343 * @gfp: type of the memory for the allocation 344 * 345 * Returns 0 on success, -ENOMEM on error 346 */ 347 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 348 gfp_t gfp) 349 { 350 struct smack_rule *nrp; 351 struct smack_rule *orp; 352 int rc = 0; 353 354 list_for_each_entry_rcu(orp, ohead, list) { 355 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 356 if (nrp == NULL) { 357 rc = -ENOMEM; 358 break; 359 } 360 *nrp = *orp; 361 list_add_rcu(&nrp->list, nhead); 362 } 363 return rc; 364 } 365 366 /** 367 * smk_copy_relabel - copy smk_relabel labels list 368 * @nhead: new rules header pointer 369 * @ohead: old rules header pointer 370 * @gfp: type of the memory for the allocation 371 * 372 * Returns 0 on success, -ENOMEM on error 373 */ 374 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 375 gfp_t gfp) 376 { 377 struct smack_known_list_elem *nklep; 378 struct smack_known_list_elem *oklep; 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 const struct cred *tracercred; 427 428 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 429 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 430 smk_ad_setfield_u_tsk(&ad, tracer); 431 saip = &ad; 432 } 433 434 rcu_read_lock(); 435 tracercred = __task_cred(tracer); 436 tsp = smack_cred(tracercred); 437 tracer_known = smk_of_task(tsp); 438 439 if ((mode & PTRACE_MODE_ATTACH) && 440 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 442 if (tracer_known->smk_known == tracee_known->smk_known) 443 rc = 0; 444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 445 rc = -EACCES; 446 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 447 rc = 0; 448 else 449 rc = -EACCES; 450 451 if (saip) 452 smack_log(tracer_known->smk_known, 453 tracee_known->smk_known, 454 0, rc, saip); 455 456 rcu_read_unlock(); 457 return rc; 458 } 459 460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 462 463 rcu_read_unlock(); 464 return rc; 465 } 466 467 /* 468 * LSM hooks. 469 * We he, that is fun! 470 */ 471 472 /** 473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 474 * @ctp: child task pointer 475 * @mode: ptrace attachment mode (PTRACE_MODE_*) 476 * 477 * Returns 0 if access is OK, an error code otherwise 478 * 479 * Do the capability checks. 480 */ 481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 482 { 483 struct smack_known *skp; 484 485 skp = smk_of_task_struct(ctp); 486 487 return smk_ptrace_rule_check(current, skp, mode, __func__); 488 } 489 490 /** 491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 492 * @ptp: parent task pointer 493 * 494 * Returns 0 if access is OK, an error code otherwise 495 * 496 * Do the capability checks, and require PTRACE_MODE_ATTACH. 497 */ 498 static int smack_ptrace_traceme(struct task_struct *ptp) 499 { 500 int rc; 501 struct smack_known *skp; 502 503 skp = smk_of_task(smack_cred(current_cred())); 504 505 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 506 return rc; 507 } 508 509 /** 510 * smack_syslog - Smack approval on syslog 511 * @typefrom_file: unused 512 * 513 * Returns 0 on success, error code otherwise. 514 */ 515 static int smack_syslog(int typefrom_file) 516 { 517 int rc = 0; 518 struct smack_known *skp = smk_of_current(); 519 520 if (smack_privileged(CAP_MAC_OVERRIDE)) 521 return 0; 522 523 if (smack_syslog_label != NULL && smack_syslog_label != skp) 524 rc = -EACCES; 525 526 return rc; 527 } 528 529 /* 530 * Superblock Hooks. 531 */ 532 533 /** 534 * smack_sb_alloc_security - allocate a superblock blob 535 * @sb: the superblock getting the blob 536 * 537 * Returns 0 on success or -ENOMEM on error. 538 */ 539 static int smack_sb_alloc_security(struct super_block *sb) 540 { 541 struct superblock_smack *sbsp; 542 543 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 544 545 if (sbsp == NULL) 546 return -ENOMEM; 547 548 sbsp->smk_root = &smack_known_floor; 549 sbsp->smk_default = &smack_known_floor; 550 sbsp->smk_floor = &smack_known_floor; 551 sbsp->smk_hat = &smack_known_hat; 552 /* 553 * SMK_SB_INITIALIZED will be zero from kzalloc. 554 */ 555 sb->s_security = sbsp; 556 557 return 0; 558 } 559 560 /** 561 * smack_sb_free_security - free a superblock blob 562 * @sb: the superblock getting the blob 563 * 564 */ 565 static void smack_sb_free_security(struct super_block *sb) 566 { 567 kfree(sb->s_security); 568 sb->s_security = NULL; 569 } 570 571 struct smack_mnt_opts { 572 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 573 }; 574 575 static void smack_free_mnt_opts(void *mnt_opts) 576 { 577 struct smack_mnt_opts *opts = mnt_opts; 578 kfree(opts->fsdefault); 579 kfree(opts->fsfloor); 580 kfree(opts->fshat); 581 kfree(opts->fsroot); 582 kfree(opts->fstransmute); 583 kfree(opts); 584 } 585 586 static int smack_add_opt(int token, const char *s, void **mnt_opts) 587 { 588 struct smack_mnt_opts *opts = *mnt_opts; 589 590 if (!opts) { 591 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 592 if (!opts) 593 return -ENOMEM; 594 *mnt_opts = opts; 595 } 596 if (!s) 597 return -ENOMEM; 598 599 switch (token) { 600 case Opt_fsdefault: 601 if (opts->fsdefault) 602 goto out_opt_err; 603 opts->fsdefault = s; 604 break; 605 case Opt_fsfloor: 606 if (opts->fsfloor) 607 goto out_opt_err; 608 opts->fsfloor = s; 609 break; 610 case Opt_fshat: 611 if (opts->fshat) 612 goto out_opt_err; 613 opts->fshat = s; 614 break; 615 case Opt_fsroot: 616 if (opts->fsroot) 617 goto out_opt_err; 618 opts->fsroot = s; 619 break; 620 case Opt_fstransmute: 621 if (opts->fstransmute) 622 goto out_opt_err; 623 opts->fstransmute = s; 624 break; 625 } 626 return 0; 627 628 out_opt_err: 629 pr_warn("Smack: duplicate mount options\n"); 630 return -EINVAL; 631 } 632 633 /** 634 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 635 * @fc: The new filesystem context. 636 * @src_fc: The source filesystem context being duplicated. 637 * 638 * Returns 0 on success or -ENOMEM on error. 639 */ 640 static int smack_fs_context_dup(struct fs_context *fc, 641 struct fs_context *src_fc) 642 { 643 struct smack_mnt_opts *dst, *src = src_fc->security; 644 645 if (!src) 646 return 0; 647 648 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 649 if (!fc->security) 650 return -ENOMEM; 651 dst = fc->security; 652 653 if (src->fsdefault) { 654 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 655 if (!dst->fsdefault) 656 return -ENOMEM; 657 } 658 if (src->fsfloor) { 659 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 660 if (!dst->fsfloor) 661 return -ENOMEM; 662 } 663 if (src->fshat) { 664 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 665 if (!dst->fshat) 666 return -ENOMEM; 667 } 668 if (src->fsroot) { 669 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 670 if (!dst->fsroot) 671 return -ENOMEM; 672 } 673 if (src->fstransmute) { 674 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 675 if (!dst->fstransmute) 676 return -ENOMEM; 677 } 678 return 0; 679 } 680 681 static const struct fs_parameter_spec smack_param_specs[] = { 682 fsparam_string("smackfsdef", Opt_fsdefault), 683 fsparam_string("smackfsdefault", Opt_fsdefault), 684 fsparam_string("smackfsfloor", Opt_fsfloor), 685 fsparam_string("smackfshat", Opt_fshat), 686 fsparam_string("smackfsroot", Opt_fsroot), 687 fsparam_string("smackfstransmute", Opt_fstransmute), 688 {} 689 }; 690 691 static const struct fs_parameter_description smack_fs_parameters = { 692 .name = "smack", 693 .specs = smack_param_specs, 694 }; 695 696 /** 697 * smack_fs_context_parse_param - Parse a single mount parameter 698 * @fc: The new filesystem context being constructed. 699 * @param: The parameter. 700 * 701 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 702 * error. 703 */ 704 static int smack_fs_context_parse_param(struct fs_context *fc, 705 struct fs_parameter *param) 706 { 707 struct fs_parse_result result; 708 int opt, rc; 709 710 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 711 if (opt < 0) 712 return opt; 713 714 rc = smack_add_opt(opt, param->string, &fc->security); 715 if (!rc) 716 param->string = NULL; 717 return rc; 718 } 719 720 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 721 { 722 char *from = options, *to = options; 723 bool first = true; 724 725 while (1) { 726 char *next = strchr(from, ','); 727 int token, len, rc; 728 char *arg = NULL; 729 730 if (next) 731 len = next - from; 732 else 733 len = strlen(from); 734 735 token = match_opt_prefix(from, len, &arg); 736 if (token != Opt_error) { 737 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 738 rc = smack_add_opt(token, arg, mnt_opts); 739 if (unlikely(rc)) { 740 kfree(arg); 741 if (*mnt_opts) 742 smack_free_mnt_opts(*mnt_opts); 743 *mnt_opts = NULL; 744 return rc; 745 } 746 } else { 747 if (!first) { // copy with preceding comma 748 from--; 749 len++; 750 } 751 if (to != from) 752 memmove(to, from, len); 753 to += len; 754 first = false; 755 } 756 if (!from[len]) 757 break; 758 from += len + 1; 759 } 760 *to = '\0'; 761 return 0; 762 } 763 764 /** 765 * smack_set_mnt_opts - set Smack specific mount options 766 * @sb: the file system superblock 767 * @mnt_opts: Smack mount options 768 * @kern_flags: mount option from kernel space or user space 769 * @set_kern_flags: where to store converted mount opts 770 * 771 * Returns 0 on success, an error code on failure 772 * 773 * Allow filesystems with binary mount data to explicitly set Smack mount 774 * labels. 775 */ 776 static int smack_set_mnt_opts(struct super_block *sb, 777 void *mnt_opts, 778 unsigned long kern_flags, 779 unsigned long *set_kern_flags) 780 { 781 struct dentry *root = sb->s_root; 782 struct inode *inode = d_backing_inode(root); 783 struct superblock_smack *sp = sb->s_security; 784 struct inode_smack *isp; 785 struct smack_known *skp; 786 struct smack_mnt_opts *opts = mnt_opts; 787 bool transmute = false; 788 789 if (sp->smk_flags & SMK_SB_INITIALIZED) 790 return 0; 791 792 if (inode->i_security == NULL) { 793 int rc = lsm_inode_alloc(inode); 794 795 if (rc) 796 return rc; 797 } 798 799 if (!smack_privileged(CAP_MAC_ADMIN)) { 800 /* 801 * Unprivileged mounts don't get to specify Smack values. 802 */ 803 if (opts) 804 return -EPERM; 805 /* 806 * Unprivileged mounts get root and default from the caller. 807 */ 808 skp = smk_of_current(); 809 sp->smk_root = skp; 810 sp->smk_default = skp; 811 /* 812 * For a handful of fs types with no user-controlled 813 * backing store it's okay to trust security labels 814 * in the filesystem. The rest are untrusted. 815 */ 816 if (sb->s_user_ns != &init_user_ns && 817 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 818 sb->s_magic != RAMFS_MAGIC) { 819 transmute = true; 820 sp->smk_flags |= SMK_SB_UNTRUSTED; 821 } 822 } 823 824 sp->smk_flags |= SMK_SB_INITIALIZED; 825 826 if (opts) { 827 if (opts->fsdefault) { 828 skp = smk_import_entry(opts->fsdefault, 0); 829 if (IS_ERR(skp)) 830 return PTR_ERR(skp); 831 sp->smk_default = skp; 832 } 833 if (opts->fsfloor) { 834 skp = smk_import_entry(opts->fsfloor, 0); 835 if (IS_ERR(skp)) 836 return PTR_ERR(skp); 837 sp->smk_floor = skp; 838 } 839 if (opts->fshat) { 840 skp = smk_import_entry(opts->fshat, 0); 841 if (IS_ERR(skp)) 842 return PTR_ERR(skp); 843 sp->smk_hat = skp; 844 } 845 if (opts->fsroot) { 846 skp = smk_import_entry(opts->fsroot, 0); 847 if (IS_ERR(skp)) 848 return PTR_ERR(skp); 849 sp->smk_root = skp; 850 } 851 if (opts->fstransmute) { 852 skp = smk_import_entry(opts->fstransmute, 0); 853 if (IS_ERR(skp)) 854 return PTR_ERR(skp); 855 sp->smk_root = skp; 856 transmute = true; 857 } 858 } 859 860 /* 861 * Initialize the root inode. 862 */ 863 init_inode_smack(inode, sp->smk_root); 864 865 if (transmute) { 866 isp = smack_inode(inode); 867 isp->smk_flags |= SMK_INODE_TRANSMUTE; 868 } 869 870 return 0; 871 } 872 873 /** 874 * smack_sb_statfs - Smack check on statfs 875 * @dentry: identifies the file system in question 876 * 877 * Returns 0 if current can read the floor of the filesystem, 878 * and error code otherwise 879 */ 880 static int smack_sb_statfs(struct dentry *dentry) 881 { 882 struct superblock_smack *sbp = dentry->d_sb->s_security; 883 int rc; 884 struct smk_audit_info ad; 885 886 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 887 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 888 889 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 890 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 891 return rc; 892 } 893 894 /* 895 * BPRM hooks 896 */ 897 898 /** 899 * smack_bprm_set_creds - set creds for exec 900 * @bprm: the exec information 901 * 902 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 903 */ 904 static int smack_bprm_set_creds(struct linux_binprm *bprm) 905 { 906 struct inode *inode = file_inode(bprm->file); 907 struct task_smack *bsp = smack_cred(bprm->cred); 908 struct inode_smack *isp; 909 struct superblock_smack *sbsp; 910 int rc; 911 912 if (bprm->called_set_creds) 913 return 0; 914 915 isp = smack_inode(inode); 916 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 917 return 0; 918 919 sbsp = inode->i_sb->s_security; 920 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 921 isp->smk_task != sbsp->smk_root) 922 return 0; 923 924 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 925 struct task_struct *tracer; 926 rc = 0; 927 928 rcu_read_lock(); 929 tracer = ptrace_parent(current); 930 if (likely(tracer != NULL)) 931 rc = smk_ptrace_rule_check(tracer, 932 isp->smk_task, 933 PTRACE_MODE_ATTACH, 934 __func__); 935 rcu_read_unlock(); 936 937 if (rc != 0) 938 return rc; 939 } 940 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 941 return -EPERM; 942 943 bsp->smk_task = isp->smk_task; 944 bprm->per_clear |= PER_CLEAR_ON_SETID; 945 946 /* Decide if this is a secure exec. */ 947 if (bsp->smk_task != bsp->smk_forked) 948 bprm->secureexec = 1; 949 950 return 0; 951 } 952 953 /* 954 * Inode hooks 955 */ 956 957 /** 958 * smack_inode_alloc_security - allocate an inode blob 959 * @inode: the inode in need of a blob 960 * 961 * Returns 0 962 */ 963 static int smack_inode_alloc_security(struct inode *inode) 964 { 965 struct smack_known *skp = smk_of_current(); 966 967 init_inode_smack(inode, skp); 968 return 0; 969 } 970 971 /** 972 * smack_inode_init_security - copy out the smack from an inode 973 * @inode: the newly created inode 974 * @dir: containing directory object 975 * @qstr: unused 976 * @name: where to put the attribute name 977 * @value: where to put the attribute value 978 * @len: where to put the length of the attribute 979 * 980 * Returns 0 if it all works out, -ENOMEM if there's no memory 981 */ 982 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 983 const struct qstr *qstr, const char **name, 984 void **value, size_t *len) 985 { 986 struct inode_smack *issp = smack_inode(inode); 987 struct smack_known *skp = smk_of_current(); 988 struct smack_known *isp = smk_of_inode(inode); 989 struct smack_known *dsp = smk_of_inode(dir); 990 int may; 991 992 if (name) 993 *name = XATTR_SMACK_SUFFIX; 994 995 if (value && len) { 996 rcu_read_lock(); 997 may = smk_access_entry(skp->smk_known, dsp->smk_known, 998 &skp->smk_rules); 999 rcu_read_unlock(); 1000 1001 /* 1002 * If the access rule allows transmutation and 1003 * the directory requests transmutation then 1004 * by all means transmute. 1005 * Mark the inode as changed. 1006 */ 1007 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1008 smk_inode_transmutable(dir)) { 1009 isp = dsp; 1010 issp->smk_flags |= SMK_INODE_CHANGED; 1011 } 1012 1013 *value = kstrdup(isp->smk_known, GFP_NOFS); 1014 if (*value == NULL) 1015 return -ENOMEM; 1016 1017 *len = strlen(isp->smk_known); 1018 } 1019 1020 return 0; 1021 } 1022 1023 /** 1024 * smack_inode_link - Smack check on link 1025 * @old_dentry: the existing object 1026 * @dir: unused 1027 * @new_dentry: the new object 1028 * 1029 * Returns 0 if access is permitted, an error code otherwise 1030 */ 1031 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1032 struct dentry *new_dentry) 1033 { 1034 struct smack_known *isp; 1035 struct smk_audit_info ad; 1036 int rc; 1037 1038 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1039 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1040 1041 isp = smk_of_inode(d_backing_inode(old_dentry)); 1042 rc = smk_curacc(isp, MAY_WRITE, &ad); 1043 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1044 1045 if (rc == 0 && d_is_positive(new_dentry)) { 1046 isp = smk_of_inode(d_backing_inode(new_dentry)); 1047 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1048 rc = smk_curacc(isp, MAY_WRITE, &ad); 1049 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1050 } 1051 1052 return rc; 1053 } 1054 1055 /** 1056 * smack_inode_unlink - Smack check on inode deletion 1057 * @dir: containing directory object 1058 * @dentry: file to unlink 1059 * 1060 * Returns 0 if current can write the containing directory 1061 * and the object, error code otherwise 1062 */ 1063 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1064 { 1065 struct inode *ip = d_backing_inode(dentry); 1066 struct smk_audit_info ad; 1067 int rc; 1068 1069 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1070 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1071 1072 /* 1073 * You need write access to the thing you're unlinking 1074 */ 1075 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1076 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1077 if (rc == 0) { 1078 /* 1079 * You also need write access to the containing directory 1080 */ 1081 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1082 smk_ad_setfield_u_fs_inode(&ad, dir); 1083 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1084 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1085 } 1086 return rc; 1087 } 1088 1089 /** 1090 * smack_inode_rmdir - Smack check on directory deletion 1091 * @dir: containing directory object 1092 * @dentry: directory to unlink 1093 * 1094 * Returns 0 if current can write the containing directory 1095 * and the directory, error code otherwise 1096 */ 1097 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1098 { 1099 struct smk_audit_info ad; 1100 int rc; 1101 1102 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1103 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1104 1105 /* 1106 * You need write access to the thing you're removing 1107 */ 1108 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1109 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1110 if (rc == 0) { 1111 /* 1112 * You also need write access to the containing directory 1113 */ 1114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1115 smk_ad_setfield_u_fs_inode(&ad, dir); 1116 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1118 } 1119 1120 return rc; 1121 } 1122 1123 /** 1124 * smack_inode_rename - Smack check on rename 1125 * @old_inode: unused 1126 * @old_dentry: the old object 1127 * @new_inode: unused 1128 * @new_dentry: the new object 1129 * 1130 * Read and write access is required on both the old and 1131 * new directories. 1132 * 1133 * Returns 0 if access is permitted, an error code otherwise 1134 */ 1135 static int smack_inode_rename(struct inode *old_inode, 1136 struct dentry *old_dentry, 1137 struct inode *new_inode, 1138 struct dentry *new_dentry) 1139 { 1140 int rc; 1141 struct smack_known *isp; 1142 struct smk_audit_info ad; 1143 1144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1145 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1146 1147 isp = smk_of_inode(d_backing_inode(old_dentry)); 1148 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1149 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1150 1151 if (rc == 0 && d_is_positive(new_dentry)) { 1152 isp = smk_of_inode(d_backing_inode(new_dentry)); 1153 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1154 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1155 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1156 } 1157 return rc; 1158 } 1159 1160 /** 1161 * smack_inode_permission - Smack version of permission() 1162 * @inode: the inode in question 1163 * @mask: the access requested 1164 * 1165 * This is the important Smack hook. 1166 * 1167 * Returns 0 if access is permitted, an error code otherwise 1168 */ 1169 static int smack_inode_permission(struct inode *inode, int mask) 1170 { 1171 struct superblock_smack *sbsp = inode->i_sb->s_security; 1172 struct smk_audit_info ad; 1173 int no_block = mask & MAY_NOT_BLOCK; 1174 int rc; 1175 1176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1177 /* 1178 * No permission to check. Existence test. Yup, it's there. 1179 */ 1180 if (mask == 0) 1181 return 0; 1182 1183 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1184 if (smk_of_inode(inode) != sbsp->smk_root) 1185 return -EACCES; 1186 } 1187 1188 /* May be droppable after audit */ 1189 if (no_block) 1190 return -ECHILD; 1191 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1192 smk_ad_setfield_u_fs_inode(&ad, inode); 1193 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1194 rc = smk_bu_inode(inode, mask, rc); 1195 return rc; 1196 } 1197 1198 /** 1199 * smack_inode_setattr - Smack check for setting attributes 1200 * @dentry: the object 1201 * @iattr: for the force flag 1202 * 1203 * Returns 0 if access is permitted, an error code otherwise 1204 */ 1205 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1206 { 1207 struct smk_audit_info ad; 1208 int rc; 1209 1210 /* 1211 * Need to allow for clearing the setuid bit. 1212 */ 1213 if (iattr->ia_valid & ATTR_FORCE) 1214 return 0; 1215 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1216 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1217 1218 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1219 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1220 return rc; 1221 } 1222 1223 /** 1224 * smack_inode_getattr - Smack check for getting attributes 1225 * @path: path to extract the info from 1226 * 1227 * Returns 0 if access is permitted, an error code otherwise 1228 */ 1229 static int smack_inode_getattr(const struct path *path) 1230 { 1231 struct smk_audit_info ad; 1232 struct inode *inode = d_backing_inode(path->dentry); 1233 int rc; 1234 1235 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1236 smk_ad_setfield_u_fs_path(&ad, *path); 1237 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1238 rc = smk_bu_inode(inode, MAY_READ, rc); 1239 return rc; 1240 } 1241 1242 /** 1243 * smack_inode_setxattr - Smack check for setting xattrs 1244 * @dentry: the object 1245 * @name: name of the attribute 1246 * @value: value of the attribute 1247 * @size: size of the value 1248 * @flags: unused 1249 * 1250 * This protects the Smack attribute explicitly. 1251 * 1252 * Returns 0 if access is permitted, an error code otherwise 1253 */ 1254 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1255 const void *value, size_t size, int flags) 1256 { 1257 struct smk_audit_info ad; 1258 struct smack_known *skp; 1259 int check_priv = 0; 1260 int check_import = 0; 1261 int check_star = 0; 1262 int rc = 0; 1263 1264 /* 1265 * Check label validity here so import won't fail in post_setxattr 1266 */ 1267 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1268 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1269 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1270 check_priv = 1; 1271 check_import = 1; 1272 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1273 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1274 check_priv = 1; 1275 check_import = 1; 1276 check_star = 1; 1277 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1278 check_priv = 1; 1279 if (size != TRANS_TRUE_SIZE || 1280 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1281 rc = -EINVAL; 1282 } else 1283 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1284 1285 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1286 rc = -EPERM; 1287 1288 if (rc == 0 && check_import) { 1289 skp = size ? smk_import_entry(value, size) : NULL; 1290 if (IS_ERR(skp)) 1291 rc = PTR_ERR(skp); 1292 else if (skp == NULL || (check_star && 1293 (skp == &smack_known_star || skp == &smack_known_web))) 1294 rc = -EINVAL; 1295 } 1296 1297 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1298 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1299 1300 if (rc == 0) { 1301 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1302 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1303 } 1304 1305 return rc; 1306 } 1307 1308 /** 1309 * smack_inode_post_setxattr - Apply the Smack update approved above 1310 * @dentry: object 1311 * @name: attribute name 1312 * @value: attribute value 1313 * @size: attribute size 1314 * @flags: unused 1315 * 1316 * Set the pointer in the inode blob to the entry found 1317 * in the master label list. 1318 */ 1319 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1320 const void *value, size_t size, int flags) 1321 { 1322 struct smack_known *skp; 1323 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1324 1325 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1326 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1327 return; 1328 } 1329 1330 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1331 skp = smk_import_entry(value, size); 1332 if (!IS_ERR(skp)) 1333 isp->smk_inode = skp; 1334 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1335 skp = smk_import_entry(value, size); 1336 if (!IS_ERR(skp)) 1337 isp->smk_task = skp; 1338 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1339 skp = smk_import_entry(value, size); 1340 if (!IS_ERR(skp)) 1341 isp->smk_mmap = skp; 1342 } 1343 1344 return; 1345 } 1346 1347 /** 1348 * smack_inode_getxattr - Smack check on getxattr 1349 * @dentry: the object 1350 * @name: unused 1351 * 1352 * Returns 0 if access is permitted, an error code otherwise 1353 */ 1354 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1355 { 1356 struct smk_audit_info ad; 1357 int rc; 1358 1359 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1360 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1361 1362 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1363 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1364 return rc; 1365 } 1366 1367 /** 1368 * smack_inode_removexattr - Smack check on removexattr 1369 * @dentry: the object 1370 * @name: name of the attribute 1371 * 1372 * Removing the Smack attribute requires CAP_MAC_ADMIN 1373 * 1374 * Returns 0 if access is permitted, an error code otherwise 1375 */ 1376 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1377 { 1378 struct inode_smack *isp; 1379 struct smk_audit_info ad; 1380 int rc = 0; 1381 1382 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1383 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1384 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1385 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1386 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1388 if (!smack_privileged(CAP_MAC_ADMIN)) 1389 rc = -EPERM; 1390 } else 1391 rc = cap_inode_removexattr(dentry, name); 1392 1393 if (rc != 0) 1394 return rc; 1395 1396 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1397 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1398 1399 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1400 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1401 if (rc != 0) 1402 return rc; 1403 1404 isp = smack_inode(d_backing_inode(dentry)); 1405 /* 1406 * Don't do anything special for these. 1407 * XATTR_NAME_SMACKIPIN 1408 * XATTR_NAME_SMACKIPOUT 1409 */ 1410 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1411 struct super_block *sbp = dentry->d_sb; 1412 struct superblock_smack *sbsp = sbp->s_security; 1413 1414 isp->smk_inode = sbsp->smk_default; 1415 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1416 isp->smk_task = NULL; 1417 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1418 isp->smk_mmap = NULL; 1419 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1420 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1421 1422 return 0; 1423 } 1424 1425 /** 1426 * smack_inode_getsecurity - get smack xattrs 1427 * @inode: the object 1428 * @name: attribute name 1429 * @buffer: where to put the result 1430 * @alloc: duplicate memory 1431 * 1432 * Returns the size of the attribute or an error code 1433 */ 1434 static int smack_inode_getsecurity(struct inode *inode, 1435 const char *name, void **buffer, 1436 bool alloc) 1437 { 1438 struct socket_smack *ssp; 1439 struct socket *sock; 1440 struct super_block *sbp; 1441 struct inode *ip = (struct inode *)inode; 1442 struct smack_known *isp; 1443 1444 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1445 isp = smk_of_inode(inode); 1446 else { 1447 /* 1448 * The rest of the Smack xattrs are only on sockets. 1449 */ 1450 sbp = ip->i_sb; 1451 if (sbp->s_magic != SOCKFS_MAGIC) 1452 return -EOPNOTSUPP; 1453 1454 sock = SOCKET_I(ip); 1455 if (sock == NULL || sock->sk == NULL) 1456 return -EOPNOTSUPP; 1457 1458 ssp = sock->sk->sk_security; 1459 1460 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1461 isp = ssp->smk_in; 1462 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1463 isp = ssp->smk_out; 1464 else 1465 return -EOPNOTSUPP; 1466 } 1467 1468 if (alloc) { 1469 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1470 if (*buffer == NULL) 1471 return -ENOMEM; 1472 } 1473 1474 return strlen(isp->smk_known); 1475 } 1476 1477 1478 /** 1479 * smack_inode_listsecurity - list the Smack attributes 1480 * @inode: the object 1481 * @buffer: where they go 1482 * @buffer_size: size of buffer 1483 */ 1484 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1485 size_t buffer_size) 1486 { 1487 int len = sizeof(XATTR_NAME_SMACK); 1488 1489 if (buffer != NULL && len <= buffer_size) 1490 memcpy(buffer, XATTR_NAME_SMACK, len); 1491 1492 return len; 1493 } 1494 1495 /** 1496 * smack_inode_getsecid - Extract inode's security id 1497 * @inode: inode to extract the info from 1498 * @secid: where result will be saved 1499 */ 1500 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1501 { 1502 struct smack_known *skp = smk_of_inode(inode); 1503 1504 *secid = skp->smk_secid; 1505 } 1506 1507 /* 1508 * File Hooks 1509 */ 1510 1511 /* 1512 * There is no smack_file_permission hook 1513 * 1514 * Should access checks be done on each read or write? 1515 * UNICOS and SELinux say yes. 1516 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1517 * 1518 * I'll say no for now. Smack does not do the frequent 1519 * label changing that SELinux does. 1520 */ 1521 1522 /** 1523 * smack_file_alloc_security - assign a file security blob 1524 * @file: the object 1525 * 1526 * The security blob for a file is a pointer to the master 1527 * label list, so no allocation is done. 1528 * 1529 * f_security is the owner security information. It 1530 * isn't used on file access checks, it's for send_sigio. 1531 * 1532 * Returns 0 1533 */ 1534 static int smack_file_alloc_security(struct file *file) 1535 { 1536 struct smack_known **blob = smack_file(file); 1537 1538 *blob = smk_of_current(); 1539 return 0; 1540 } 1541 1542 /** 1543 * smack_file_ioctl - Smack check on ioctls 1544 * @file: the object 1545 * @cmd: what to do 1546 * @arg: unused 1547 * 1548 * Relies heavily on the correct use of the ioctl command conventions. 1549 * 1550 * Returns 0 if allowed, error code otherwise 1551 */ 1552 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1553 unsigned long arg) 1554 { 1555 int rc = 0; 1556 struct smk_audit_info ad; 1557 struct inode *inode = file_inode(file); 1558 1559 if (unlikely(IS_PRIVATE(inode))) 1560 return 0; 1561 1562 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1563 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1564 1565 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1566 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1567 rc = smk_bu_file(file, MAY_WRITE, rc); 1568 } 1569 1570 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1571 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1572 rc = smk_bu_file(file, MAY_READ, rc); 1573 } 1574 1575 return rc; 1576 } 1577 1578 /** 1579 * smack_file_lock - Smack check on file locking 1580 * @file: the object 1581 * @cmd: unused 1582 * 1583 * Returns 0 if current has lock access, error code otherwise 1584 */ 1585 static int smack_file_lock(struct file *file, unsigned int cmd) 1586 { 1587 struct smk_audit_info ad; 1588 int rc; 1589 struct inode *inode = file_inode(file); 1590 1591 if (unlikely(IS_PRIVATE(inode))) 1592 return 0; 1593 1594 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1595 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1596 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1597 rc = smk_bu_file(file, MAY_LOCK, rc); 1598 return rc; 1599 } 1600 1601 /** 1602 * smack_file_fcntl - Smack check on fcntl 1603 * @file: the object 1604 * @cmd: what action to check 1605 * @arg: unused 1606 * 1607 * Generally these operations are harmless. 1608 * File locking operations present an obvious mechanism 1609 * for passing information, so they require write access. 1610 * 1611 * Returns 0 if current has access, error code otherwise 1612 */ 1613 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1614 unsigned long arg) 1615 { 1616 struct smk_audit_info ad; 1617 int rc = 0; 1618 struct inode *inode = file_inode(file); 1619 1620 if (unlikely(IS_PRIVATE(inode))) 1621 return 0; 1622 1623 switch (cmd) { 1624 case F_GETLK: 1625 break; 1626 case F_SETLK: 1627 case F_SETLKW: 1628 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1629 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1630 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1631 rc = smk_bu_file(file, MAY_LOCK, rc); 1632 break; 1633 case F_SETOWN: 1634 case F_SETSIG: 1635 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1636 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1637 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1638 rc = smk_bu_file(file, MAY_WRITE, rc); 1639 break; 1640 default: 1641 break; 1642 } 1643 1644 return rc; 1645 } 1646 1647 /** 1648 * smack_mmap_file : 1649 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1650 * if mapping anonymous memory. 1651 * @file contains the file structure for file to map (may be NULL). 1652 * @reqprot contains the protection requested by the application. 1653 * @prot contains the protection that will be applied by the kernel. 1654 * @flags contains the operational flags. 1655 * Return 0 if permission is granted. 1656 */ 1657 static int smack_mmap_file(struct file *file, 1658 unsigned long reqprot, unsigned long prot, 1659 unsigned long flags) 1660 { 1661 struct smack_known *skp; 1662 struct smack_known *mkp; 1663 struct smack_rule *srp; 1664 struct task_smack *tsp; 1665 struct smack_known *okp; 1666 struct inode_smack *isp; 1667 struct superblock_smack *sbsp; 1668 int may; 1669 int mmay; 1670 int tmay; 1671 int rc; 1672 1673 if (file == NULL) 1674 return 0; 1675 1676 if (unlikely(IS_PRIVATE(file_inode(file)))) 1677 return 0; 1678 1679 isp = smack_inode(file_inode(file)); 1680 if (isp->smk_mmap == NULL) 1681 return 0; 1682 sbsp = file_inode(file)->i_sb->s_security; 1683 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1684 isp->smk_mmap != sbsp->smk_root) 1685 return -EACCES; 1686 mkp = isp->smk_mmap; 1687 1688 tsp = smack_cred(current_cred()); 1689 skp = smk_of_current(); 1690 rc = 0; 1691 1692 rcu_read_lock(); 1693 /* 1694 * For each Smack rule associated with the subject 1695 * label verify that the SMACK64MMAP also has access 1696 * to that rule's object label. 1697 */ 1698 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1699 okp = srp->smk_object; 1700 /* 1701 * Matching labels always allows access. 1702 */ 1703 if (mkp->smk_known == okp->smk_known) 1704 continue; 1705 /* 1706 * If there is a matching local rule take 1707 * that into account as well. 1708 */ 1709 may = smk_access_entry(srp->smk_subject->smk_known, 1710 okp->smk_known, 1711 &tsp->smk_rules); 1712 if (may == -ENOENT) 1713 may = srp->smk_access; 1714 else 1715 may &= srp->smk_access; 1716 /* 1717 * If may is zero the SMACK64MMAP subject can't 1718 * possibly have less access. 1719 */ 1720 if (may == 0) 1721 continue; 1722 1723 /* 1724 * Fetch the global list entry. 1725 * If there isn't one a SMACK64MMAP subject 1726 * can't have as much access as current. 1727 */ 1728 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1729 &mkp->smk_rules); 1730 if (mmay == -ENOENT) { 1731 rc = -EACCES; 1732 break; 1733 } 1734 /* 1735 * If there is a local entry it modifies the 1736 * potential access, too. 1737 */ 1738 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1739 &tsp->smk_rules); 1740 if (tmay != -ENOENT) 1741 mmay &= tmay; 1742 1743 /* 1744 * If there is any access available to current that is 1745 * not available to a SMACK64MMAP subject 1746 * deny access. 1747 */ 1748 if ((may | mmay) != mmay) { 1749 rc = -EACCES; 1750 break; 1751 } 1752 } 1753 1754 rcu_read_unlock(); 1755 1756 return rc; 1757 } 1758 1759 /** 1760 * smack_file_set_fowner - set the file security blob value 1761 * @file: object in question 1762 * 1763 */ 1764 static void smack_file_set_fowner(struct file *file) 1765 { 1766 struct smack_known **blob = smack_file(file); 1767 1768 *blob = smk_of_current(); 1769 } 1770 1771 /** 1772 * smack_file_send_sigiotask - Smack on sigio 1773 * @tsk: The target task 1774 * @fown: the object the signal come from 1775 * @signum: unused 1776 * 1777 * Allow a privileged task to get signals even if it shouldn't 1778 * 1779 * Returns 0 if a subject with the object's smack could 1780 * write to the task, an error code otherwise. 1781 */ 1782 static int smack_file_send_sigiotask(struct task_struct *tsk, 1783 struct fown_struct *fown, int signum) 1784 { 1785 struct smack_known **blob; 1786 struct smack_known *skp; 1787 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1788 const struct cred *tcred; 1789 struct file *file; 1790 int rc; 1791 struct smk_audit_info ad; 1792 1793 /* 1794 * struct fown_struct is never outside the context of a struct file 1795 */ 1796 file = container_of(fown, struct file, f_owner); 1797 1798 /* we don't log here as rc can be overriden */ 1799 blob = smack_file(file); 1800 skp = *blob; 1801 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1802 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1803 1804 rcu_read_lock(); 1805 tcred = __task_cred(tsk); 1806 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1807 rc = 0; 1808 rcu_read_unlock(); 1809 1810 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1811 smk_ad_setfield_u_tsk(&ad, tsk); 1812 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1813 return rc; 1814 } 1815 1816 /** 1817 * smack_file_receive - Smack file receive check 1818 * @file: the object 1819 * 1820 * Returns 0 if current has access, error code otherwise 1821 */ 1822 static int smack_file_receive(struct file *file) 1823 { 1824 int rc; 1825 int may = 0; 1826 struct smk_audit_info ad; 1827 struct inode *inode = file_inode(file); 1828 struct socket *sock; 1829 struct task_smack *tsp; 1830 struct socket_smack *ssp; 1831 1832 if (unlikely(IS_PRIVATE(inode))) 1833 return 0; 1834 1835 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1836 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1837 1838 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1839 sock = SOCKET_I(inode); 1840 ssp = sock->sk->sk_security; 1841 tsp = smack_cred(current_cred()); 1842 /* 1843 * If the receiving process can't write to the 1844 * passed socket or if the passed socket can't 1845 * write to the receiving process don't accept 1846 * the passed socket. 1847 */ 1848 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1849 rc = smk_bu_file(file, may, rc); 1850 if (rc < 0) 1851 return rc; 1852 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1853 rc = smk_bu_file(file, may, rc); 1854 return rc; 1855 } 1856 /* 1857 * This code relies on bitmasks. 1858 */ 1859 if (file->f_mode & FMODE_READ) 1860 may = MAY_READ; 1861 if (file->f_mode & FMODE_WRITE) 1862 may |= MAY_WRITE; 1863 1864 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1865 rc = smk_bu_file(file, may, rc); 1866 return rc; 1867 } 1868 1869 /** 1870 * smack_file_open - Smack dentry open processing 1871 * @file: the object 1872 * 1873 * Set the security blob in the file structure. 1874 * Allow the open only if the task has read access. There are 1875 * many read operations (e.g. fstat) that you can do with an 1876 * fd even if you have the file open write-only. 1877 * 1878 * Returns 0 if current has access, error code otherwise 1879 */ 1880 static int smack_file_open(struct file *file) 1881 { 1882 struct task_smack *tsp = smack_cred(file->f_cred); 1883 struct inode *inode = file_inode(file); 1884 struct smk_audit_info ad; 1885 int rc; 1886 1887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1888 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1889 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1890 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1891 1892 return rc; 1893 } 1894 1895 /* 1896 * Task hooks 1897 */ 1898 1899 /** 1900 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1901 * @cred: the new credentials 1902 * @gfp: the atomicity of any memory allocations 1903 * 1904 * Prepare a blank set of credentials for modification. This must allocate all 1905 * the memory the LSM module might require such that cred_transfer() can 1906 * complete without error. 1907 */ 1908 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1909 { 1910 init_task_smack(smack_cred(cred), NULL, NULL); 1911 return 0; 1912 } 1913 1914 1915 /** 1916 * smack_cred_free - "free" task-level security credentials 1917 * @cred: the credentials in question 1918 * 1919 */ 1920 static void smack_cred_free(struct cred *cred) 1921 { 1922 struct task_smack *tsp = smack_cred(cred); 1923 struct smack_rule *rp; 1924 struct list_head *l; 1925 struct list_head *n; 1926 1927 smk_destroy_label_list(&tsp->smk_relabel); 1928 1929 list_for_each_safe(l, n, &tsp->smk_rules) { 1930 rp = list_entry(l, struct smack_rule, list); 1931 list_del(&rp->list); 1932 kmem_cache_free(smack_rule_cache, rp); 1933 } 1934 } 1935 1936 /** 1937 * smack_cred_prepare - prepare new set of credentials for modification 1938 * @new: the new credentials 1939 * @old: the original credentials 1940 * @gfp: the atomicity of any memory allocations 1941 * 1942 * Prepare a new set of credentials for modification. 1943 */ 1944 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1945 gfp_t gfp) 1946 { 1947 struct task_smack *old_tsp = smack_cred(old); 1948 struct task_smack *new_tsp = smack_cred(new); 1949 int rc; 1950 1951 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1952 1953 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1954 if (rc != 0) 1955 return rc; 1956 1957 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1958 gfp); 1959 return rc; 1960 } 1961 1962 /** 1963 * smack_cred_transfer - Transfer the old credentials to the new credentials 1964 * @new: the new credentials 1965 * @old: the original credentials 1966 * 1967 * Fill in a set of blank credentials from another set of credentials. 1968 */ 1969 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1970 { 1971 struct task_smack *old_tsp = smack_cred(old); 1972 struct task_smack *new_tsp = smack_cred(new); 1973 1974 new_tsp->smk_task = old_tsp->smk_task; 1975 new_tsp->smk_forked = old_tsp->smk_task; 1976 mutex_init(&new_tsp->smk_rules_lock); 1977 INIT_LIST_HEAD(&new_tsp->smk_rules); 1978 1979 /* cbs copy rule list */ 1980 } 1981 1982 /** 1983 * smack_cred_getsecid - get the secid corresponding to a creds structure 1984 * @cred: the object creds 1985 * @secid: where to put the result 1986 * 1987 * Sets the secid to contain a u32 version of the smack label. 1988 */ 1989 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1990 { 1991 struct smack_known *skp; 1992 1993 rcu_read_lock(); 1994 skp = smk_of_task(smack_cred(cred)); 1995 *secid = skp->smk_secid; 1996 rcu_read_unlock(); 1997 } 1998 1999 /** 2000 * smack_kernel_act_as - Set the subjective context in a set of credentials 2001 * @new: points to the set of credentials to be modified. 2002 * @secid: specifies the security ID to be set 2003 * 2004 * Set the security data for a kernel service. 2005 */ 2006 static int smack_kernel_act_as(struct cred *new, u32 secid) 2007 { 2008 struct task_smack *new_tsp = smack_cred(new); 2009 2010 new_tsp->smk_task = smack_from_secid(secid); 2011 return 0; 2012 } 2013 2014 /** 2015 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2016 * @new: points to the set of credentials to be modified 2017 * @inode: points to the inode to use as a reference 2018 * 2019 * Set the file creation context in a set of credentials to the same 2020 * as the objective context of the specified inode 2021 */ 2022 static int smack_kernel_create_files_as(struct cred *new, 2023 struct inode *inode) 2024 { 2025 struct inode_smack *isp = smack_inode(inode); 2026 struct task_smack *tsp = smack_cred(new); 2027 2028 tsp->smk_forked = isp->smk_inode; 2029 tsp->smk_task = tsp->smk_forked; 2030 return 0; 2031 } 2032 2033 /** 2034 * smk_curacc_on_task - helper to log task related access 2035 * @p: the task object 2036 * @access: the access requested 2037 * @caller: name of the calling function for audit 2038 * 2039 * Return 0 if access is permitted 2040 */ 2041 static int smk_curacc_on_task(struct task_struct *p, int access, 2042 const char *caller) 2043 { 2044 struct smk_audit_info ad; 2045 struct smack_known *skp = smk_of_task_struct(p); 2046 int rc; 2047 2048 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2049 smk_ad_setfield_u_tsk(&ad, p); 2050 rc = smk_curacc(skp, access, &ad); 2051 rc = smk_bu_task(p, access, rc); 2052 return rc; 2053 } 2054 2055 /** 2056 * smack_task_setpgid - Smack check on setting pgid 2057 * @p: the task object 2058 * @pgid: unused 2059 * 2060 * Return 0 if write access is permitted 2061 */ 2062 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2063 { 2064 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2065 } 2066 2067 /** 2068 * smack_task_getpgid - Smack access check for getpgid 2069 * @p: the object task 2070 * 2071 * Returns 0 if current can read the object task, error code otherwise 2072 */ 2073 static int smack_task_getpgid(struct task_struct *p) 2074 { 2075 return smk_curacc_on_task(p, MAY_READ, __func__); 2076 } 2077 2078 /** 2079 * smack_task_getsid - Smack access check for getsid 2080 * @p: the object task 2081 * 2082 * Returns 0 if current can read the object task, error code otherwise 2083 */ 2084 static int smack_task_getsid(struct task_struct *p) 2085 { 2086 return smk_curacc_on_task(p, MAY_READ, __func__); 2087 } 2088 2089 /** 2090 * smack_task_getsecid - get the secid of the task 2091 * @p: the object task 2092 * @secid: where to put the result 2093 * 2094 * Sets the secid to contain a u32 version of the smack label. 2095 */ 2096 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2097 { 2098 struct smack_known *skp = smk_of_task_struct(p); 2099 2100 *secid = skp->smk_secid; 2101 } 2102 2103 /** 2104 * smack_task_setnice - Smack check on setting nice 2105 * @p: the task object 2106 * @nice: unused 2107 * 2108 * Return 0 if write access is permitted 2109 */ 2110 static int smack_task_setnice(struct task_struct *p, int nice) 2111 { 2112 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2113 } 2114 2115 /** 2116 * smack_task_setioprio - Smack check on setting ioprio 2117 * @p: the task object 2118 * @ioprio: unused 2119 * 2120 * Return 0 if write access is permitted 2121 */ 2122 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2123 { 2124 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2125 } 2126 2127 /** 2128 * smack_task_getioprio - Smack check on reading ioprio 2129 * @p: the task object 2130 * 2131 * Return 0 if read access is permitted 2132 */ 2133 static int smack_task_getioprio(struct task_struct *p) 2134 { 2135 return smk_curacc_on_task(p, MAY_READ, __func__); 2136 } 2137 2138 /** 2139 * smack_task_setscheduler - Smack check on setting scheduler 2140 * @p: the task object 2141 * 2142 * Return 0 if read access is permitted 2143 */ 2144 static int smack_task_setscheduler(struct task_struct *p) 2145 { 2146 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2147 } 2148 2149 /** 2150 * smack_task_getscheduler - Smack check on reading scheduler 2151 * @p: the task object 2152 * 2153 * Return 0 if read access is permitted 2154 */ 2155 static int smack_task_getscheduler(struct task_struct *p) 2156 { 2157 return smk_curacc_on_task(p, MAY_READ, __func__); 2158 } 2159 2160 /** 2161 * smack_task_movememory - Smack check on moving memory 2162 * @p: the task object 2163 * 2164 * Return 0 if write access is permitted 2165 */ 2166 static int smack_task_movememory(struct task_struct *p) 2167 { 2168 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2169 } 2170 2171 /** 2172 * smack_task_kill - Smack check on signal delivery 2173 * @p: the task object 2174 * @info: unused 2175 * @sig: unused 2176 * @cred: identifies the cred to use in lieu of current's 2177 * 2178 * Return 0 if write access is permitted 2179 * 2180 */ 2181 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2182 int sig, const struct cred *cred) 2183 { 2184 struct smk_audit_info ad; 2185 struct smack_known *skp; 2186 struct smack_known *tkp = smk_of_task_struct(p); 2187 int rc; 2188 2189 if (!sig) 2190 return 0; /* null signal; existence test */ 2191 2192 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2193 smk_ad_setfield_u_tsk(&ad, p); 2194 /* 2195 * Sending a signal requires that the sender 2196 * can write the receiver. 2197 */ 2198 if (cred == NULL) { 2199 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2200 rc = smk_bu_task(p, MAY_DELIVER, rc); 2201 return rc; 2202 } 2203 /* 2204 * If the cred isn't NULL we're dealing with some USB IO 2205 * specific behavior. This is not clean. For one thing 2206 * we can't take privilege into account. 2207 */ 2208 skp = smk_of_task(smack_cred(cred)); 2209 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2210 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2211 return rc; 2212 } 2213 2214 /** 2215 * smack_task_to_inode - copy task smack into the inode blob 2216 * @p: task to copy from 2217 * @inode: inode to copy to 2218 * 2219 * Sets the smack pointer in the inode security blob 2220 */ 2221 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2222 { 2223 struct inode_smack *isp = smack_inode(inode); 2224 struct smack_known *skp = smk_of_task_struct(p); 2225 2226 isp->smk_inode = skp; 2227 isp->smk_flags |= SMK_INODE_INSTANT; 2228 } 2229 2230 /* 2231 * Socket hooks. 2232 */ 2233 2234 /** 2235 * smack_sk_alloc_security - Allocate a socket blob 2236 * @sk: the socket 2237 * @family: unused 2238 * @gfp_flags: memory allocation flags 2239 * 2240 * Assign Smack pointers to current 2241 * 2242 * Returns 0 on success, -ENOMEM is there's no memory 2243 */ 2244 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2245 { 2246 struct smack_known *skp = smk_of_current(); 2247 struct socket_smack *ssp; 2248 2249 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2250 if (ssp == NULL) 2251 return -ENOMEM; 2252 2253 /* 2254 * Sockets created by kernel threads receive web label. 2255 */ 2256 if (unlikely(current->flags & PF_KTHREAD)) { 2257 ssp->smk_in = &smack_known_web; 2258 ssp->smk_out = &smack_known_web; 2259 } else { 2260 ssp->smk_in = skp; 2261 ssp->smk_out = skp; 2262 } 2263 ssp->smk_packet = NULL; 2264 2265 sk->sk_security = ssp; 2266 2267 return 0; 2268 } 2269 2270 /** 2271 * smack_sk_free_security - Free a socket blob 2272 * @sk: the socket 2273 * 2274 * Clears the blob pointer 2275 */ 2276 static void smack_sk_free_security(struct sock *sk) 2277 { 2278 #ifdef SMACK_IPV6_PORT_LABELING 2279 struct smk_port_label *spp; 2280 2281 if (sk->sk_family == PF_INET6) { 2282 rcu_read_lock(); 2283 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2284 if (spp->smk_sock != sk) 2285 continue; 2286 spp->smk_can_reuse = 1; 2287 break; 2288 } 2289 rcu_read_unlock(); 2290 } 2291 #endif 2292 kfree(sk->sk_security); 2293 } 2294 2295 /** 2296 * smack_ipv4host_label - check host based restrictions 2297 * @sip: the object end 2298 * 2299 * looks for host based access restrictions 2300 * 2301 * This version will only be appropriate for really small sets of single label 2302 * hosts. The caller is responsible for ensuring that the RCU read lock is 2303 * taken before calling this function. 2304 * 2305 * Returns the label of the far end or NULL if it's not special. 2306 */ 2307 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2308 { 2309 struct smk_net4addr *snp; 2310 struct in_addr *siap = &sip->sin_addr; 2311 2312 if (siap->s_addr == 0) 2313 return NULL; 2314 2315 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2316 /* 2317 * we break after finding the first match because 2318 * the list is sorted from longest to shortest mask 2319 * so we have found the most specific match 2320 */ 2321 if (snp->smk_host.s_addr == 2322 (siap->s_addr & snp->smk_mask.s_addr)) 2323 return snp->smk_label; 2324 2325 return NULL; 2326 } 2327 2328 #if IS_ENABLED(CONFIG_IPV6) 2329 /* 2330 * smk_ipv6_localhost - Check for local ipv6 host address 2331 * @sip: the address 2332 * 2333 * Returns boolean true if this is the localhost address 2334 */ 2335 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2336 { 2337 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2338 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2339 2340 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2341 ntohs(be16p[7]) == 1) 2342 return true; 2343 return false; 2344 } 2345 2346 /** 2347 * smack_ipv6host_label - check host based restrictions 2348 * @sip: the object end 2349 * 2350 * looks for host based access restrictions 2351 * 2352 * This version will only be appropriate for really small sets of single label 2353 * hosts. The caller is responsible for ensuring that the RCU read lock is 2354 * taken before calling this function. 2355 * 2356 * Returns the label of the far end or NULL if it's not special. 2357 */ 2358 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2359 { 2360 struct smk_net6addr *snp; 2361 struct in6_addr *sap = &sip->sin6_addr; 2362 int i; 2363 int found = 0; 2364 2365 /* 2366 * It's local. Don't look for a host label. 2367 */ 2368 if (smk_ipv6_localhost(sip)) 2369 return NULL; 2370 2371 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2372 /* 2373 * If the label is NULL the entry has 2374 * been renounced. Ignore it. 2375 */ 2376 if (snp->smk_label == NULL) 2377 continue; 2378 /* 2379 * we break after finding the first match because 2380 * the list is sorted from longest to shortest mask 2381 * so we have found the most specific match 2382 */ 2383 for (found = 1, i = 0; i < 8; i++) { 2384 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2385 snp->smk_host.s6_addr16[i]) { 2386 found = 0; 2387 break; 2388 } 2389 } 2390 if (found) 2391 return snp->smk_label; 2392 } 2393 2394 return NULL; 2395 } 2396 #endif /* CONFIG_IPV6 */ 2397 2398 /** 2399 * smack_netlabel - Set the secattr on a socket 2400 * @sk: the socket 2401 * @labeled: socket label scheme 2402 * 2403 * Convert the outbound smack value (smk_out) to a 2404 * secattr and attach it to the socket. 2405 * 2406 * Returns 0 on success or an error code 2407 */ 2408 static int smack_netlabel(struct sock *sk, int labeled) 2409 { 2410 struct smack_known *skp; 2411 struct socket_smack *ssp = sk->sk_security; 2412 int rc = 0; 2413 2414 /* 2415 * Usually the netlabel code will handle changing the 2416 * packet labeling based on the label. 2417 * The case of a single label host is different, because 2418 * a single label host should never get a labeled packet 2419 * even though the label is usually associated with a packet 2420 * label. 2421 */ 2422 local_bh_disable(); 2423 bh_lock_sock_nested(sk); 2424 2425 if (ssp->smk_out == smack_net_ambient || 2426 labeled == SMACK_UNLABELED_SOCKET) 2427 netlbl_sock_delattr(sk); 2428 else { 2429 skp = ssp->smk_out; 2430 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2431 } 2432 2433 bh_unlock_sock(sk); 2434 local_bh_enable(); 2435 2436 return rc; 2437 } 2438 2439 /** 2440 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2441 * @sk: the socket 2442 * @sap: the destination address 2443 * 2444 * Set the correct secattr for the given socket based on the destination 2445 * address and perform any outbound access checks needed. 2446 * 2447 * Returns 0 on success or an error code. 2448 * 2449 */ 2450 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2451 { 2452 struct smack_known *skp; 2453 int rc; 2454 int sk_lbl; 2455 struct smack_known *hkp; 2456 struct socket_smack *ssp = sk->sk_security; 2457 struct smk_audit_info ad; 2458 2459 rcu_read_lock(); 2460 hkp = smack_ipv4host_label(sap); 2461 if (hkp != NULL) { 2462 #ifdef CONFIG_AUDIT 2463 struct lsm_network_audit net; 2464 2465 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2466 ad.a.u.net->family = sap->sin_family; 2467 ad.a.u.net->dport = sap->sin_port; 2468 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2469 #endif 2470 sk_lbl = SMACK_UNLABELED_SOCKET; 2471 skp = ssp->smk_out; 2472 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2473 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2474 } else { 2475 sk_lbl = SMACK_CIPSO_SOCKET; 2476 rc = 0; 2477 } 2478 rcu_read_unlock(); 2479 if (rc != 0) 2480 return rc; 2481 2482 return smack_netlabel(sk, sk_lbl); 2483 } 2484 2485 #if IS_ENABLED(CONFIG_IPV6) 2486 /** 2487 * smk_ipv6_check - check Smack access 2488 * @subject: subject Smack label 2489 * @object: object Smack label 2490 * @address: address 2491 * @act: the action being taken 2492 * 2493 * Check an IPv6 access 2494 */ 2495 static int smk_ipv6_check(struct smack_known *subject, 2496 struct smack_known *object, 2497 struct sockaddr_in6 *address, int act) 2498 { 2499 #ifdef CONFIG_AUDIT 2500 struct lsm_network_audit net; 2501 #endif 2502 struct smk_audit_info ad; 2503 int rc; 2504 2505 #ifdef CONFIG_AUDIT 2506 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2507 ad.a.u.net->family = PF_INET6; 2508 ad.a.u.net->dport = ntohs(address->sin6_port); 2509 if (act == SMK_RECEIVING) 2510 ad.a.u.net->v6info.saddr = address->sin6_addr; 2511 else 2512 ad.a.u.net->v6info.daddr = address->sin6_addr; 2513 #endif 2514 rc = smk_access(subject, object, MAY_WRITE, &ad); 2515 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2516 return rc; 2517 } 2518 #endif /* CONFIG_IPV6 */ 2519 2520 #ifdef SMACK_IPV6_PORT_LABELING 2521 /** 2522 * smk_ipv6_port_label - Smack port access table management 2523 * @sock: socket 2524 * @address: address 2525 * 2526 * Create or update the port list entry 2527 */ 2528 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2529 { 2530 struct sock *sk = sock->sk; 2531 struct sockaddr_in6 *addr6; 2532 struct socket_smack *ssp = sock->sk->sk_security; 2533 struct smk_port_label *spp; 2534 unsigned short port = 0; 2535 2536 if (address == NULL) { 2537 /* 2538 * This operation is changing the Smack information 2539 * on the bound socket. Take the changes to the port 2540 * as well. 2541 */ 2542 rcu_read_lock(); 2543 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2544 if (sk != spp->smk_sock) 2545 continue; 2546 spp->smk_in = ssp->smk_in; 2547 spp->smk_out = ssp->smk_out; 2548 rcu_read_unlock(); 2549 return; 2550 } 2551 /* 2552 * A NULL address is only used for updating existing 2553 * bound entries. If there isn't one, it's OK. 2554 */ 2555 rcu_read_unlock(); 2556 return; 2557 } 2558 2559 addr6 = (struct sockaddr_in6 *)address; 2560 port = ntohs(addr6->sin6_port); 2561 /* 2562 * This is a special case that is safely ignored. 2563 */ 2564 if (port == 0) 2565 return; 2566 2567 /* 2568 * Look for an existing port list entry. 2569 * This is an indication that a port is getting reused. 2570 */ 2571 rcu_read_lock(); 2572 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2573 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2574 continue; 2575 if (spp->smk_can_reuse != 1) { 2576 rcu_read_unlock(); 2577 return; 2578 } 2579 spp->smk_port = port; 2580 spp->smk_sock = sk; 2581 spp->smk_in = ssp->smk_in; 2582 spp->smk_out = ssp->smk_out; 2583 spp->smk_can_reuse = 0; 2584 rcu_read_unlock(); 2585 return; 2586 } 2587 rcu_read_unlock(); 2588 /* 2589 * A new port entry is required. 2590 */ 2591 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2592 if (spp == NULL) 2593 return; 2594 2595 spp->smk_port = port; 2596 spp->smk_sock = sk; 2597 spp->smk_in = ssp->smk_in; 2598 spp->smk_out = ssp->smk_out; 2599 spp->smk_sock_type = sock->type; 2600 spp->smk_can_reuse = 0; 2601 2602 mutex_lock(&smack_ipv6_lock); 2603 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2604 mutex_unlock(&smack_ipv6_lock); 2605 return; 2606 } 2607 2608 /** 2609 * smk_ipv6_port_check - check Smack port access 2610 * @sk: socket 2611 * @address: address 2612 * @act: the action being taken 2613 * 2614 * Create or update the port list entry 2615 */ 2616 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2617 int act) 2618 { 2619 struct smk_port_label *spp; 2620 struct socket_smack *ssp = sk->sk_security; 2621 struct smack_known *skp = NULL; 2622 unsigned short port; 2623 struct smack_known *object; 2624 2625 if (act == SMK_RECEIVING) { 2626 skp = smack_ipv6host_label(address); 2627 object = ssp->smk_in; 2628 } else { 2629 skp = ssp->smk_out; 2630 object = smack_ipv6host_label(address); 2631 } 2632 2633 /* 2634 * The other end is a single label host. 2635 */ 2636 if (skp != NULL && object != NULL) 2637 return smk_ipv6_check(skp, object, address, act); 2638 if (skp == NULL) 2639 skp = smack_net_ambient; 2640 if (object == NULL) 2641 object = smack_net_ambient; 2642 2643 /* 2644 * It's remote, so port lookup does no good. 2645 */ 2646 if (!smk_ipv6_localhost(address)) 2647 return smk_ipv6_check(skp, object, address, act); 2648 2649 /* 2650 * It's local so the send check has to have passed. 2651 */ 2652 if (act == SMK_RECEIVING) 2653 return 0; 2654 2655 port = ntohs(address->sin6_port); 2656 rcu_read_lock(); 2657 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2658 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2659 continue; 2660 object = spp->smk_in; 2661 if (act == SMK_CONNECTING) 2662 ssp->smk_packet = spp->smk_out; 2663 break; 2664 } 2665 rcu_read_unlock(); 2666 2667 return smk_ipv6_check(skp, object, address, act); 2668 } 2669 #endif /* SMACK_IPV6_PORT_LABELING */ 2670 2671 /** 2672 * smack_inode_setsecurity - set smack xattrs 2673 * @inode: the object 2674 * @name: attribute name 2675 * @value: attribute value 2676 * @size: size of the attribute 2677 * @flags: unused 2678 * 2679 * Sets the named attribute in the appropriate blob 2680 * 2681 * Returns 0 on success, or an error code 2682 */ 2683 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2684 const void *value, size_t size, int flags) 2685 { 2686 struct smack_known *skp; 2687 struct inode_smack *nsp = smack_inode(inode); 2688 struct socket_smack *ssp; 2689 struct socket *sock; 2690 int rc = 0; 2691 2692 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2693 return -EINVAL; 2694 2695 skp = smk_import_entry(value, size); 2696 if (IS_ERR(skp)) 2697 return PTR_ERR(skp); 2698 2699 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2700 nsp->smk_inode = skp; 2701 nsp->smk_flags |= SMK_INODE_INSTANT; 2702 return 0; 2703 } 2704 /* 2705 * The rest of the Smack xattrs are only on sockets. 2706 */ 2707 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2708 return -EOPNOTSUPP; 2709 2710 sock = SOCKET_I(inode); 2711 if (sock == NULL || sock->sk == NULL) 2712 return -EOPNOTSUPP; 2713 2714 ssp = sock->sk->sk_security; 2715 2716 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2717 ssp->smk_in = skp; 2718 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2719 ssp->smk_out = skp; 2720 if (sock->sk->sk_family == PF_INET) { 2721 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2722 if (rc != 0) 2723 printk(KERN_WARNING 2724 "Smack: \"%s\" netlbl error %d.\n", 2725 __func__, -rc); 2726 } 2727 } else 2728 return -EOPNOTSUPP; 2729 2730 #ifdef SMACK_IPV6_PORT_LABELING 2731 if (sock->sk->sk_family == PF_INET6) 2732 smk_ipv6_port_label(sock, NULL); 2733 #endif 2734 2735 return 0; 2736 } 2737 2738 /** 2739 * smack_socket_post_create - finish socket setup 2740 * @sock: the socket 2741 * @family: protocol family 2742 * @type: unused 2743 * @protocol: unused 2744 * @kern: unused 2745 * 2746 * Sets the netlabel information on the socket 2747 * 2748 * Returns 0 on success, and error code otherwise 2749 */ 2750 static int smack_socket_post_create(struct socket *sock, int family, 2751 int type, int protocol, int kern) 2752 { 2753 struct socket_smack *ssp; 2754 2755 if (sock->sk == NULL) 2756 return 0; 2757 2758 /* 2759 * Sockets created by kernel threads receive web label. 2760 */ 2761 if (unlikely(current->flags & PF_KTHREAD)) { 2762 ssp = sock->sk->sk_security; 2763 ssp->smk_in = &smack_known_web; 2764 ssp->smk_out = &smack_known_web; 2765 } 2766 2767 if (family != PF_INET) 2768 return 0; 2769 /* 2770 * Set the outbound netlbl. 2771 */ 2772 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2773 } 2774 2775 /** 2776 * smack_socket_socketpair - create socket pair 2777 * @socka: one socket 2778 * @sockb: another socket 2779 * 2780 * Cross reference the peer labels for SO_PEERSEC 2781 * 2782 * Returns 0 2783 */ 2784 static int smack_socket_socketpair(struct socket *socka, 2785 struct socket *sockb) 2786 { 2787 struct socket_smack *asp = socka->sk->sk_security; 2788 struct socket_smack *bsp = sockb->sk->sk_security; 2789 2790 asp->smk_packet = bsp->smk_out; 2791 bsp->smk_packet = asp->smk_out; 2792 2793 return 0; 2794 } 2795 2796 #ifdef SMACK_IPV6_PORT_LABELING 2797 /** 2798 * smack_socket_bind - record port binding information. 2799 * @sock: the socket 2800 * @address: the port address 2801 * @addrlen: size of the address 2802 * 2803 * Records the label bound to a port. 2804 * 2805 * Returns 0 on success, and error code otherwise 2806 */ 2807 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2808 int addrlen) 2809 { 2810 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2811 if (addrlen < SIN6_LEN_RFC2133 || 2812 address->sa_family != AF_INET6) 2813 return -EINVAL; 2814 smk_ipv6_port_label(sock, address); 2815 } 2816 return 0; 2817 } 2818 #endif /* SMACK_IPV6_PORT_LABELING */ 2819 2820 /** 2821 * smack_socket_connect - connect access check 2822 * @sock: the socket 2823 * @sap: the other end 2824 * @addrlen: size of sap 2825 * 2826 * Verifies that a connection may be possible 2827 * 2828 * Returns 0 on success, and error code otherwise 2829 */ 2830 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2831 int addrlen) 2832 { 2833 int rc = 0; 2834 #if IS_ENABLED(CONFIG_IPV6) 2835 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2836 #endif 2837 #ifdef SMACK_IPV6_SECMARK_LABELING 2838 struct smack_known *rsp; 2839 struct socket_smack *ssp; 2840 #endif 2841 2842 if (sock->sk == NULL) 2843 return 0; 2844 2845 #ifdef SMACK_IPV6_SECMARK_LABELING 2846 ssp = sock->sk->sk_security; 2847 #endif 2848 2849 switch (sock->sk->sk_family) { 2850 case PF_INET: 2851 if (addrlen < sizeof(struct sockaddr_in) || 2852 sap->sa_family != AF_INET) 2853 return -EINVAL; 2854 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2855 break; 2856 case PF_INET6: 2857 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) 2858 return -EINVAL; 2859 #ifdef SMACK_IPV6_SECMARK_LABELING 2860 rsp = smack_ipv6host_label(sip); 2861 if (rsp != NULL) 2862 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2863 SMK_CONNECTING); 2864 #endif 2865 #ifdef SMACK_IPV6_PORT_LABELING 2866 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2867 #endif 2868 break; 2869 } 2870 return rc; 2871 } 2872 2873 /** 2874 * smack_flags_to_may - convert S_ to MAY_ values 2875 * @flags: the S_ value 2876 * 2877 * Returns the equivalent MAY_ value 2878 */ 2879 static int smack_flags_to_may(int flags) 2880 { 2881 int may = 0; 2882 2883 if (flags & S_IRUGO) 2884 may |= MAY_READ; 2885 if (flags & S_IWUGO) 2886 may |= MAY_WRITE; 2887 if (flags & S_IXUGO) 2888 may |= MAY_EXEC; 2889 2890 return may; 2891 } 2892 2893 /** 2894 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2895 * @msg: the object 2896 * 2897 * Returns 0 2898 */ 2899 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2900 { 2901 struct smack_known **blob = smack_msg_msg(msg); 2902 2903 *blob = smk_of_current(); 2904 return 0; 2905 } 2906 2907 /** 2908 * smack_of_ipc - the smack pointer for the ipc 2909 * @isp: the object 2910 * 2911 * Returns a pointer to the smack value 2912 */ 2913 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2914 { 2915 struct smack_known **blob = smack_ipc(isp); 2916 2917 return *blob; 2918 } 2919 2920 /** 2921 * smack_ipc_alloc_security - Set the security blob for ipc 2922 * @isp: the object 2923 * 2924 * Returns 0 2925 */ 2926 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2927 { 2928 struct smack_known **blob = smack_ipc(isp); 2929 2930 *blob = smk_of_current(); 2931 return 0; 2932 } 2933 2934 /** 2935 * smk_curacc_shm : check if current has access on shm 2936 * @isp : the object 2937 * @access : access requested 2938 * 2939 * Returns 0 if current has the requested access, error code otherwise 2940 */ 2941 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2942 { 2943 struct smack_known *ssp = smack_of_ipc(isp); 2944 struct smk_audit_info ad; 2945 int rc; 2946 2947 #ifdef CONFIG_AUDIT 2948 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2949 ad.a.u.ipc_id = isp->id; 2950 #endif 2951 rc = smk_curacc(ssp, access, &ad); 2952 rc = smk_bu_current("shm", ssp, access, rc); 2953 return rc; 2954 } 2955 2956 /** 2957 * smack_shm_associate - Smack access check for shm 2958 * @isp: the object 2959 * @shmflg: access requested 2960 * 2961 * Returns 0 if current has the requested access, error code otherwise 2962 */ 2963 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2964 { 2965 int may; 2966 2967 may = smack_flags_to_may(shmflg); 2968 return smk_curacc_shm(isp, may); 2969 } 2970 2971 /** 2972 * smack_shm_shmctl - Smack access check for shm 2973 * @isp: the object 2974 * @cmd: what it wants to do 2975 * 2976 * Returns 0 if current has the requested access, error code otherwise 2977 */ 2978 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2979 { 2980 int may; 2981 2982 switch (cmd) { 2983 case IPC_STAT: 2984 case SHM_STAT: 2985 case SHM_STAT_ANY: 2986 may = MAY_READ; 2987 break; 2988 case IPC_SET: 2989 case SHM_LOCK: 2990 case SHM_UNLOCK: 2991 case IPC_RMID: 2992 may = MAY_READWRITE; 2993 break; 2994 case IPC_INFO: 2995 case SHM_INFO: 2996 /* 2997 * System level information. 2998 */ 2999 return 0; 3000 default: 3001 return -EINVAL; 3002 } 3003 return smk_curacc_shm(isp, may); 3004 } 3005 3006 /** 3007 * smack_shm_shmat - Smack access for shmat 3008 * @isp: the object 3009 * @shmaddr: unused 3010 * @shmflg: access requested 3011 * 3012 * Returns 0 if current has the requested access, error code otherwise 3013 */ 3014 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3015 int shmflg) 3016 { 3017 int may; 3018 3019 may = smack_flags_to_may(shmflg); 3020 return smk_curacc_shm(isp, may); 3021 } 3022 3023 /** 3024 * smk_curacc_sem : check if current has access on sem 3025 * @isp : the object 3026 * @access : access requested 3027 * 3028 * Returns 0 if current has the requested access, error code otherwise 3029 */ 3030 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3031 { 3032 struct smack_known *ssp = smack_of_ipc(isp); 3033 struct smk_audit_info ad; 3034 int rc; 3035 3036 #ifdef CONFIG_AUDIT 3037 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3038 ad.a.u.ipc_id = isp->id; 3039 #endif 3040 rc = smk_curacc(ssp, access, &ad); 3041 rc = smk_bu_current("sem", ssp, access, rc); 3042 return rc; 3043 } 3044 3045 /** 3046 * smack_sem_associate - Smack access check for sem 3047 * @isp: the object 3048 * @semflg: access requested 3049 * 3050 * Returns 0 if current has the requested access, error code otherwise 3051 */ 3052 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3053 { 3054 int may; 3055 3056 may = smack_flags_to_may(semflg); 3057 return smk_curacc_sem(isp, may); 3058 } 3059 3060 /** 3061 * smack_sem_shmctl - Smack access check for sem 3062 * @isp: the object 3063 * @cmd: what it wants to do 3064 * 3065 * Returns 0 if current has the requested access, error code otherwise 3066 */ 3067 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3068 { 3069 int may; 3070 3071 switch (cmd) { 3072 case GETPID: 3073 case GETNCNT: 3074 case GETZCNT: 3075 case GETVAL: 3076 case GETALL: 3077 case IPC_STAT: 3078 case SEM_STAT: 3079 case SEM_STAT_ANY: 3080 may = MAY_READ; 3081 break; 3082 case SETVAL: 3083 case SETALL: 3084 case IPC_RMID: 3085 case IPC_SET: 3086 may = MAY_READWRITE; 3087 break; 3088 case IPC_INFO: 3089 case SEM_INFO: 3090 /* 3091 * System level information 3092 */ 3093 return 0; 3094 default: 3095 return -EINVAL; 3096 } 3097 3098 return smk_curacc_sem(isp, may); 3099 } 3100 3101 /** 3102 * smack_sem_semop - Smack checks of semaphore operations 3103 * @isp: the object 3104 * @sops: unused 3105 * @nsops: unused 3106 * @alter: unused 3107 * 3108 * Treated as read and write in all cases. 3109 * 3110 * Returns 0 if access is allowed, error code otherwise 3111 */ 3112 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3113 unsigned nsops, int alter) 3114 { 3115 return smk_curacc_sem(isp, MAY_READWRITE); 3116 } 3117 3118 /** 3119 * smk_curacc_msq : helper to check if current has access on msq 3120 * @isp : the msq 3121 * @access : access requested 3122 * 3123 * return 0 if current has access, error otherwise 3124 */ 3125 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3126 { 3127 struct smack_known *msp = smack_of_ipc(isp); 3128 struct smk_audit_info ad; 3129 int rc; 3130 3131 #ifdef CONFIG_AUDIT 3132 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3133 ad.a.u.ipc_id = isp->id; 3134 #endif 3135 rc = smk_curacc(msp, access, &ad); 3136 rc = smk_bu_current("msq", msp, access, rc); 3137 return rc; 3138 } 3139 3140 /** 3141 * smack_msg_queue_associate - Smack access check for msg_queue 3142 * @isp: the object 3143 * @msqflg: access requested 3144 * 3145 * Returns 0 if current has the requested access, error code otherwise 3146 */ 3147 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3148 { 3149 int may; 3150 3151 may = smack_flags_to_may(msqflg); 3152 return smk_curacc_msq(isp, may); 3153 } 3154 3155 /** 3156 * smack_msg_queue_msgctl - Smack access check for msg_queue 3157 * @isp: the object 3158 * @cmd: what it wants to do 3159 * 3160 * Returns 0 if current has the requested access, error code otherwise 3161 */ 3162 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3163 { 3164 int may; 3165 3166 switch (cmd) { 3167 case IPC_STAT: 3168 case MSG_STAT: 3169 case MSG_STAT_ANY: 3170 may = MAY_READ; 3171 break; 3172 case IPC_SET: 3173 case IPC_RMID: 3174 may = MAY_READWRITE; 3175 break; 3176 case IPC_INFO: 3177 case MSG_INFO: 3178 /* 3179 * System level information 3180 */ 3181 return 0; 3182 default: 3183 return -EINVAL; 3184 } 3185 3186 return smk_curacc_msq(isp, may); 3187 } 3188 3189 /** 3190 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3191 * @isp: the object 3192 * @msg: unused 3193 * @msqflg: access requested 3194 * 3195 * Returns 0 if current has the requested access, error code otherwise 3196 */ 3197 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3198 int msqflg) 3199 { 3200 int may; 3201 3202 may = smack_flags_to_may(msqflg); 3203 return smk_curacc_msq(isp, may); 3204 } 3205 3206 /** 3207 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3208 * @isp: the object 3209 * @msg: unused 3210 * @target: unused 3211 * @type: unused 3212 * @mode: unused 3213 * 3214 * Returns 0 if current has read and write access, error code otherwise 3215 */ 3216 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3217 struct task_struct *target, long type, int mode) 3218 { 3219 return smk_curacc_msq(isp, MAY_READWRITE); 3220 } 3221 3222 /** 3223 * smack_ipc_permission - Smack access for ipc_permission() 3224 * @ipp: the object permissions 3225 * @flag: access requested 3226 * 3227 * Returns 0 if current has read and write access, error code otherwise 3228 */ 3229 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3230 { 3231 struct smack_known **blob = smack_ipc(ipp); 3232 struct smack_known *iskp = *blob; 3233 int may = smack_flags_to_may(flag); 3234 struct smk_audit_info ad; 3235 int rc; 3236 3237 #ifdef CONFIG_AUDIT 3238 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3239 ad.a.u.ipc_id = ipp->id; 3240 #endif 3241 rc = smk_curacc(iskp, may, &ad); 3242 rc = smk_bu_current("svipc", iskp, may, rc); 3243 return rc; 3244 } 3245 3246 /** 3247 * smack_ipc_getsecid - Extract smack security id 3248 * @ipp: the object permissions 3249 * @secid: where result will be saved 3250 */ 3251 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3252 { 3253 struct smack_known **blob = smack_ipc(ipp); 3254 struct smack_known *iskp = *blob; 3255 3256 *secid = iskp->smk_secid; 3257 } 3258 3259 /** 3260 * smack_d_instantiate - Make sure the blob is correct on an inode 3261 * @opt_dentry: dentry where inode will be attached 3262 * @inode: the object 3263 * 3264 * Set the inode's security blob if it hasn't been done already. 3265 */ 3266 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3267 { 3268 struct super_block *sbp; 3269 struct superblock_smack *sbsp; 3270 struct inode_smack *isp; 3271 struct smack_known *skp; 3272 struct smack_known *ckp = smk_of_current(); 3273 struct smack_known *final; 3274 char trattr[TRANS_TRUE_SIZE]; 3275 int transflag = 0; 3276 int rc; 3277 struct dentry *dp; 3278 3279 if (inode == NULL) 3280 return; 3281 3282 isp = smack_inode(inode); 3283 3284 mutex_lock(&isp->smk_lock); 3285 /* 3286 * If the inode is already instantiated 3287 * take the quick way out 3288 */ 3289 if (isp->smk_flags & SMK_INODE_INSTANT) 3290 goto unlockandout; 3291 3292 sbp = inode->i_sb; 3293 sbsp = sbp->s_security; 3294 /* 3295 * We're going to use the superblock default label 3296 * if there's no label on the file. 3297 */ 3298 final = sbsp->smk_default; 3299 3300 /* 3301 * If this is the root inode the superblock 3302 * may be in the process of initialization. 3303 * If that is the case use the root value out 3304 * of the superblock. 3305 */ 3306 if (opt_dentry->d_parent == opt_dentry) { 3307 switch (sbp->s_magic) { 3308 case CGROUP_SUPER_MAGIC: 3309 case CGROUP2_SUPER_MAGIC: 3310 /* 3311 * The cgroup filesystem is never mounted, 3312 * so there's no opportunity to set the mount 3313 * options. 3314 */ 3315 sbsp->smk_root = &smack_known_star; 3316 sbsp->smk_default = &smack_known_star; 3317 isp->smk_inode = sbsp->smk_root; 3318 break; 3319 case TMPFS_MAGIC: 3320 /* 3321 * What about shmem/tmpfs anonymous files with dentry 3322 * obtained from d_alloc_pseudo()? 3323 */ 3324 isp->smk_inode = smk_of_current(); 3325 break; 3326 case PIPEFS_MAGIC: 3327 isp->smk_inode = smk_of_current(); 3328 break; 3329 case SOCKFS_MAGIC: 3330 /* 3331 * Socket access is controlled by the socket 3332 * structures associated with the task involved. 3333 */ 3334 isp->smk_inode = &smack_known_star; 3335 break; 3336 default: 3337 isp->smk_inode = sbsp->smk_root; 3338 break; 3339 } 3340 isp->smk_flags |= SMK_INODE_INSTANT; 3341 goto unlockandout; 3342 } 3343 3344 /* 3345 * This is pretty hackish. 3346 * Casey says that we shouldn't have to do 3347 * file system specific code, but it does help 3348 * with keeping it simple. 3349 */ 3350 switch (sbp->s_magic) { 3351 case SMACK_MAGIC: 3352 case CGROUP_SUPER_MAGIC: 3353 case CGROUP2_SUPER_MAGIC: 3354 /* 3355 * Casey says that it's a little embarrassing 3356 * that the smack file system doesn't do 3357 * extended attributes. 3358 * 3359 * Cgroupfs is special 3360 */ 3361 final = &smack_known_star; 3362 break; 3363 case DEVPTS_SUPER_MAGIC: 3364 /* 3365 * devpts seems content with the label of the task. 3366 * Programs that change smack have to treat the 3367 * pty with respect. 3368 */ 3369 final = ckp; 3370 break; 3371 case PROC_SUPER_MAGIC: 3372 /* 3373 * Casey says procfs appears not to care. 3374 * The superblock default suffices. 3375 */ 3376 break; 3377 case TMPFS_MAGIC: 3378 /* 3379 * Device labels should come from the filesystem, 3380 * but watch out, because they're volitile, 3381 * getting recreated on every reboot. 3382 */ 3383 final = &smack_known_star; 3384 /* 3385 * If a smack value has been set we want to use it, 3386 * but since tmpfs isn't giving us the opportunity 3387 * to set mount options simulate setting the 3388 * superblock default. 3389 */ 3390 /* Fall through */ 3391 default: 3392 /* 3393 * This isn't an understood special case. 3394 * Get the value from the xattr. 3395 */ 3396 3397 /* 3398 * UNIX domain sockets use lower level socket data. 3399 */ 3400 if (S_ISSOCK(inode->i_mode)) { 3401 final = &smack_known_star; 3402 break; 3403 } 3404 /* 3405 * No xattr support means, alas, no SMACK label. 3406 * Use the aforeapplied default. 3407 * It would be curious if the label of the task 3408 * does not match that assigned. 3409 */ 3410 if (!(inode->i_opflags & IOP_XATTR)) 3411 break; 3412 /* 3413 * Get the dentry for xattr. 3414 */ 3415 dp = dget(opt_dentry); 3416 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3417 if (!IS_ERR_OR_NULL(skp)) 3418 final = skp; 3419 3420 /* 3421 * Transmuting directory 3422 */ 3423 if (S_ISDIR(inode->i_mode)) { 3424 /* 3425 * If this is a new directory and the label was 3426 * transmuted when the inode was initialized 3427 * set the transmute attribute on the directory 3428 * and mark the inode. 3429 * 3430 * If there is a transmute attribute on the 3431 * directory mark the inode. 3432 */ 3433 if (isp->smk_flags & SMK_INODE_CHANGED) { 3434 isp->smk_flags &= ~SMK_INODE_CHANGED; 3435 rc = __vfs_setxattr(dp, inode, 3436 XATTR_NAME_SMACKTRANSMUTE, 3437 TRANS_TRUE, TRANS_TRUE_SIZE, 3438 0); 3439 } else { 3440 rc = __vfs_getxattr(dp, inode, 3441 XATTR_NAME_SMACKTRANSMUTE, trattr, 3442 TRANS_TRUE_SIZE); 3443 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3444 TRANS_TRUE_SIZE) != 0) 3445 rc = -EINVAL; 3446 } 3447 if (rc >= 0) 3448 transflag = SMK_INODE_TRANSMUTE; 3449 } 3450 /* 3451 * Don't let the exec or mmap label be "*" or "@". 3452 */ 3453 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3454 if (IS_ERR(skp) || skp == &smack_known_star || 3455 skp == &smack_known_web) 3456 skp = NULL; 3457 isp->smk_task = skp; 3458 3459 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3460 if (IS_ERR(skp) || skp == &smack_known_star || 3461 skp == &smack_known_web) 3462 skp = NULL; 3463 isp->smk_mmap = skp; 3464 3465 dput(dp); 3466 break; 3467 } 3468 3469 if (final == NULL) 3470 isp->smk_inode = ckp; 3471 else 3472 isp->smk_inode = final; 3473 3474 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3475 3476 unlockandout: 3477 mutex_unlock(&isp->smk_lock); 3478 return; 3479 } 3480 3481 /** 3482 * smack_getprocattr - Smack process attribute access 3483 * @p: the object task 3484 * @name: the name of the attribute in /proc/.../attr 3485 * @value: where to put the result 3486 * 3487 * Places a copy of the task Smack into value 3488 * 3489 * Returns the length of the smack label or an error code 3490 */ 3491 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3492 { 3493 struct smack_known *skp = smk_of_task_struct(p); 3494 char *cp; 3495 int slen; 3496 3497 if (strcmp(name, "current") != 0) 3498 return -EINVAL; 3499 3500 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3501 if (cp == NULL) 3502 return -ENOMEM; 3503 3504 slen = strlen(cp); 3505 *value = cp; 3506 return slen; 3507 } 3508 3509 /** 3510 * smack_setprocattr - Smack process attribute setting 3511 * @name: the name of the attribute in /proc/.../attr 3512 * @value: the value to set 3513 * @size: the size of the value 3514 * 3515 * Sets the Smack value of the task. Only setting self 3516 * is permitted and only with privilege 3517 * 3518 * Returns the length of the smack label or an error code 3519 */ 3520 static int smack_setprocattr(const char *name, void *value, size_t size) 3521 { 3522 struct task_smack *tsp = smack_cred(current_cred()); 3523 struct cred *new; 3524 struct smack_known *skp; 3525 struct smack_known_list_elem *sklep; 3526 int rc; 3527 3528 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3529 return -EPERM; 3530 3531 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3532 return -EINVAL; 3533 3534 if (strcmp(name, "current") != 0) 3535 return -EINVAL; 3536 3537 skp = smk_import_entry(value, size); 3538 if (IS_ERR(skp)) 3539 return PTR_ERR(skp); 3540 3541 /* 3542 * No process is ever allowed the web ("@") label 3543 * and the star ("*") label. 3544 */ 3545 if (skp == &smack_known_web || skp == &smack_known_star) 3546 return -EINVAL; 3547 3548 if (!smack_privileged(CAP_MAC_ADMIN)) { 3549 rc = -EPERM; 3550 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3551 if (sklep->smk_label == skp) { 3552 rc = 0; 3553 break; 3554 } 3555 if (rc) 3556 return rc; 3557 } 3558 3559 new = prepare_creds(); 3560 if (new == NULL) 3561 return -ENOMEM; 3562 3563 tsp = smack_cred(new); 3564 tsp->smk_task = skp; 3565 /* 3566 * process can change its label only once 3567 */ 3568 smk_destroy_label_list(&tsp->smk_relabel); 3569 3570 commit_creds(new); 3571 return size; 3572 } 3573 3574 /** 3575 * smack_unix_stream_connect - Smack access on UDS 3576 * @sock: one sock 3577 * @other: the other sock 3578 * @newsk: unused 3579 * 3580 * Return 0 if a subject with the smack of sock could access 3581 * an object with the smack of other, otherwise an error code 3582 */ 3583 static int smack_unix_stream_connect(struct sock *sock, 3584 struct sock *other, struct sock *newsk) 3585 { 3586 struct smack_known *skp; 3587 struct smack_known *okp; 3588 struct socket_smack *ssp = sock->sk_security; 3589 struct socket_smack *osp = other->sk_security; 3590 struct socket_smack *nsp = newsk->sk_security; 3591 struct smk_audit_info ad; 3592 int rc = 0; 3593 #ifdef CONFIG_AUDIT 3594 struct lsm_network_audit net; 3595 #endif 3596 3597 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3598 skp = ssp->smk_out; 3599 okp = osp->smk_in; 3600 #ifdef CONFIG_AUDIT 3601 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3602 smk_ad_setfield_u_net_sk(&ad, other); 3603 #endif 3604 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3605 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3606 if (rc == 0) { 3607 okp = osp->smk_out; 3608 skp = ssp->smk_in; 3609 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3610 rc = smk_bu_note("UDS connect", okp, skp, 3611 MAY_WRITE, rc); 3612 } 3613 } 3614 3615 /* 3616 * Cross reference the peer labels for SO_PEERSEC. 3617 */ 3618 if (rc == 0) { 3619 nsp->smk_packet = ssp->smk_out; 3620 ssp->smk_packet = osp->smk_out; 3621 } 3622 3623 return rc; 3624 } 3625 3626 /** 3627 * smack_unix_may_send - Smack access on UDS 3628 * @sock: one socket 3629 * @other: the other socket 3630 * 3631 * Return 0 if a subject with the smack of sock could access 3632 * an object with the smack of other, otherwise an error code 3633 */ 3634 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3635 { 3636 struct socket_smack *ssp = sock->sk->sk_security; 3637 struct socket_smack *osp = other->sk->sk_security; 3638 struct smk_audit_info ad; 3639 int rc; 3640 3641 #ifdef CONFIG_AUDIT 3642 struct lsm_network_audit net; 3643 3644 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3645 smk_ad_setfield_u_net_sk(&ad, other->sk); 3646 #endif 3647 3648 if (smack_privileged(CAP_MAC_OVERRIDE)) 3649 return 0; 3650 3651 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3652 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3653 return rc; 3654 } 3655 3656 /** 3657 * smack_socket_sendmsg - Smack check based on destination host 3658 * @sock: the socket 3659 * @msg: the message 3660 * @size: the size of the message 3661 * 3662 * Return 0 if the current subject can write to the destination host. 3663 * For IPv4 this is only a question if the destination is a single label host. 3664 * For IPv6 this is a check against the label of the port. 3665 */ 3666 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3667 int size) 3668 { 3669 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3670 #if IS_ENABLED(CONFIG_IPV6) 3671 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3672 #endif 3673 #ifdef SMACK_IPV6_SECMARK_LABELING 3674 struct socket_smack *ssp = sock->sk->sk_security; 3675 struct smack_known *rsp; 3676 #endif 3677 int rc = 0; 3678 3679 /* 3680 * Perfectly reasonable for this to be NULL 3681 */ 3682 if (sip == NULL) 3683 return 0; 3684 3685 switch (sock->sk->sk_family) { 3686 case AF_INET: 3687 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3688 sip->sin_family != AF_INET) 3689 return -EINVAL; 3690 rc = smack_netlabel_send(sock->sk, sip); 3691 break; 3692 #if IS_ENABLED(CONFIG_IPV6) 3693 case AF_INET6: 3694 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3695 sap->sin6_family != AF_INET6) 3696 return -EINVAL; 3697 #ifdef SMACK_IPV6_SECMARK_LABELING 3698 rsp = smack_ipv6host_label(sap); 3699 if (rsp != NULL) 3700 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3701 SMK_CONNECTING); 3702 #endif 3703 #ifdef SMACK_IPV6_PORT_LABELING 3704 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3705 #endif 3706 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3707 break; 3708 } 3709 return rc; 3710 } 3711 3712 /** 3713 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3714 * @sap: netlabel secattr 3715 * @ssp: socket security information 3716 * 3717 * Returns a pointer to a Smack label entry found on the label list. 3718 */ 3719 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3720 struct socket_smack *ssp) 3721 { 3722 struct smack_known *skp; 3723 int found = 0; 3724 int acat; 3725 int kcat; 3726 3727 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3728 /* 3729 * Looks like a CIPSO packet. 3730 * If there are flags but no level netlabel isn't 3731 * behaving the way we expect it to. 3732 * 3733 * Look it up in the label table 3734 * Without guidance regarding the smack value 3735 * for the packet fall back on the network 3736 * ambient value. 3737 */ 3738 rcu_read_lock(); 3739 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3740 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3741 continue; 3742 /* 3743 * Compare the catsets. Use the netlbl APIs. 3744 */ 3745 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3746 if ((skp->smk_netlabel.flags & 3747 NETLBL_SECATTR_MLS_CAT) == 0) 3748 found = 1; 3749 break; 3750 } 3751 for (acat = -1, kcat = -1; acat == kcat; ) { 3752 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3753 acat + 1); 3754 kcat = netlbl_catmap_walk( 3755 skp->smk_netlabel.attr.mls.cat, 3756 kcat + 1); 3757 if (acat < 0 || kcat < 0) 3758 break; 3759 } 3760 if (acat == kcat) { 3761 found = 1; 3762 break; 3763 } 3764 } 3765 rcu_read_unlock(); 3766 3767 if (found) 3768 return skp; 3769 3770 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3771 return &smack_known_web; 3772 return &smack_known_star; 3773 } 3774 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3775 /* 3776 * Looks like a fallback, which gives us a secid. 3777 */ 3778 return smack_from_secid(sap->attr.secid); 3779 /* 3780 * Without guidance regarding the smack value 3781 * for the packet fall back on the network 3782 * ambient value. 3783 */ 3784 return smack_net_ambient; 3785 } 3786 3787 #if IS_ENABLED(CONFIG_IPV6) 3788 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3789 { 3790 u8 nexthdr; 3791 int offset; 3792 int proto = -EINVAL; 3793 struct ipv6hdr _ipv6h; 3794 struct ipv6hdr *ip6; 3795 __be16 frag_off; 3796 struct tcphdr _tcph, *th; 3797 struct udphdr _udph, *uh; 3798 struct dccp_hdr _dccph, *dh; 3799 3800 sip->sin6_port = 0; 3801 3802 offset = skb_network_offset(skb); 3803 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3804 if (ip6 == NULL) 3805 return -EINVAL; 3806 sip->sin6_addr = ip6->saddr; 3807 3808 nexthdr = ip6->nexthdr; 3809 offset += sizeof(_ipv6h); 3810 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3811 if (offset < 0) 3812 return -EINVAL; 3813 3814 proto = nexthdr; 3815 switch (proto) { 3816 case IPPROTO_TCP: 3817 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3818 if (th != NULL) 3819 sip->sin6_port = th->source; 3820 break; 3821 case IPPROTO_UDP: 3822 case IPPROTO_UDPLITE: 3823 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3824 if (uh != NULL) 3825 sip->sin6_port = uh->source; 3826 break; 3827 case IPPROTO_DCCP: 3828 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3829 if (dh != NULL) 3830 sip->sin6_port = dh->dccph_sport; 3831 break; 3832 } 3833 return proto; 3834 } 3835 #endif /* CONFIG_IPV6 */ 3836 3837 /** 3838 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3839 * @sk: socket 3840 * @skb: packet 3841 * 3842 * Returns 0 if the packet should be delivered, an error code otherwise 3843 */ 3844 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3845 { 3846 struct netlbl_lsm_secattr secattr; 3847 struct socket_smack *ssp = sk->sk_security; 3848 struct smack_known *skp = NULL; 3849 int rc = 0; 3850 struct smk_audit_info ad; 3851 u16 family = sk->sk_family; 3852 #ifdef CONFIG_AUDIT 3853 struct lsm_network_audit net; 3854 #endif 3855 #if IS_ENABLED(CONFIG_IPV6) 3856 struct sockaddr_in6 sadd; 3857 int proto; 3858 3859 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3860 family = PF_INET; 3861 #endif /* CONFIG_IPV6 */ 3862 3863 switch (family) { 3864 case PF_INET: 3865 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3866 /* 3867 * If there is a secmark use it rather than the CIPSO label. 3868 * If there is no secmark fall back to CIPSO. 3869 * The secmark is assumed to reflect policy better. 3870 */ 3871 if (skb && skb->secmark != 0) { 3872 skp = smack_from_secid(skb->secmark); 3873 goto access_check; 3874 } 3875 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3876 /* 3877 * Translate what netlabel gave us. 3878 */ 3879 netlbl_secattr_init(&secattr); 3880 3881 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3882 if (rc == 0) 3883 skp = smack_from_secattr(&secattr, ssp); 3884 else 3885 skp = smack_net_ambient; 3886 3887 netlbl_secattr_destroy(&secattr); 3888 3889 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3890 access_check: 3891 #endif 3892 #ifdef CONFIG_AUDIT 3893 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3894 ad.a.u.net->family = family; 3895 ad.a.u.net->netif = skb->skb_iif; 3896 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3897 #endif 3898 /* 3899 * Receiving a packet requires that the other end 3900 * be able to write here. Read access is not required. 3901 * This is the simplist possible security model 3902 * for networking. 3903 */ 3904 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3905 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3906 MAY_WRITE, rc); 3907 if (rc != 0) 3908 netlbl_skbuff_err(skb, family, rc, 0); 3909 break; 3910 #if IS_ENABLED(CONFIG_IPV6) 3911 case PF_INET6: 3912 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3913 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3914 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3915 break; 3916 #ifdef SMACK_IPV6_SECMARK_LABELING 3917 if (skb && skb->secmark != 0) 3918 skp = smack_from_secid(skb->secmark); 3919 else if (smk_ipv6_localhost(&sadd)) 3920 break; 3921 else 3922 skp = smack_ipv6host_label(&sadd); 3923 if (skp == NULL) 3924 skp = smack_net_ambient; 3925 if (skb == NULL) 3926 break; 3927 #ifdef CONFIG_AUDIT 3928 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3929 ad.a.u.net->family = family; 3930 ad.a.u.net->netif = skb->skb_iif; 3931 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3932 #endif /* CONFIG_AUDIT */ 3933 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3934 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3935 MAY_WRITE, rc); 3936 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3937 #ifdef SMACK_IPV6_PORT_LABELING 3938 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3939 #endif /* SMACK_IPV6_PORT_LABELING */ 3940 if (rc != 0) 3941 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3942 ICMPV6_ADM_PROHIBITED, 0); 3943 break; 3944 #endif /* CONFIG_IPV6 */ 3945 } 3946 3947 return rc; 3948 } 3949 3950 /** 3951 * smack_socket_getpeersec_stream - pull in packet label 3952 * @sock: the socket 3953 * @optval: user's destination 3954 * @optlen: size thereof 3955 * @len: max thereof 3956 * 3957 * returns zero on success, an error code otherwise 3958 */ 3959 static int smack_socket_getpeersec_stream(struct socket *sock, 3960 char __user *optval, 3961 int __user *optlen, unsigned len) 3962 { 3963 struct socket_smack *ssp; 3964 char *rcp = ""; 3965 int slen = 1; 3966 int rc = 0; 3967 3968 ssp = sock->sk->sk_security; 3969 if (ssp->smk_packet != NULL) { 3970 rcp = ssp->smk_packet->smk_known; 3971 slen = strlen(rcp) + 1; 3972 } 3973 3974 if (slen > len) 3975 rc = -ERANGE; 3976 else if (copy_to_user(optval, rcp, slen) != 0) 3977 rc = -EFAULT; 3978 3979 if (put_user(slen, optlen) != 0) 3980 rc = -EFAULT; 3981 3982 return rc; 3983 } 3984 3985 3986 /** 3987 * smack_socket_getpeersec_dgram - pull in packet label 3988 * @sock: the peer socket 3989 * @skb: packet data 3990 * @secid: pointer to where to put the secid of the packet 3991 * 3992 * Sets the netlabel socket state on sk from parent 3993 */ 3994 static int smack_socket_getpeersec_dgram(struct socket *sock, 3995 struct sk_buff *skb, u32 *secid) 3996 3997 { 3998 struct netlbl_lsm_secattr secattr; 3999 struct socket_smack *ssp = NULL; 4000 struct smack_known *skp; 4001 int family = PF_UNSPEC; 4002 u32 s = 0; /* 0 is the invalid secid */ 4003 int rc; 4004 4005 if (skb != NULL) { 4006 if (skb->protocol == htons(ETH_P_IP)) 4007 family = PF_INET; 4008 #if IS_ENABLED(CONFIG_IPV6) 4009 else if (skb->protocol == htons(ETH_P_IPV6)) 4010 family = PF_INET6; 4011 #endif /* CONFIG_IPV6 */ 4012 } 4013 if (family == PF_UNSPEC && sock != NULL) 4014 family = sock->sk->sk_family; 4015 4016 switch (family) { 4017 case PF_UNIX: 4018 ssp = sock->sk->sk_security; 4019 s = ssp->smk_out->smk_secid; 4020 break; 4021 case PF_INET: 4022 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4023 s = skb->secmark; 4024 if (s != 0) 4025 break; 4026 #endif 4027 /* 4028 * Translate what netlabel gave us. 4029 */ 4030 if (sock != NULL && sock->sk != NULL) 4031 ssp = sock->sk->sk_security; 4032 netlbl_secattr_init(&secattr); 4033 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4034 if (rc == 0) { 4035 skp = smack_from_secattr(&secattr, ssp); 4036 s = skp->smk_secid; 4037 } 4038 netlbl_secattr_destroy(&secattr); 4039 break; 4040 case PF_INET6: 4041 #ifdef SMACK_IPV6_SECMARK_LABELING 4042 s = skb->secmark; 4043 #endif 4044 break; 4045 } 4046 *secid = s; 4047 if (s == 0) 4048 return -EINVAL; 4049 return 0; 4050 } 4051 4052 /** 4053 * smack_sock_graft - Initialize a newly created socket with an existing sock 4054 * @sk: child sock 4055 * @parent: parent socket 4056 * 4057 * Set the smk_{in,out} state of an existing sock based on the process that 4058 * is creating the new socket. 4059 */ 4060 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4061 { 4062 struct socket_smack *ssp; 4063 struct smack_known *skp = smk_of_current(); 4064 4065 if (sk == NULL || 4066 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4067 return; 4068 4069 ssp = sk->sk_security; 4070 ssp->smk_in = skp; 4071 ssp->smk_out = skp; 4072 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4073 } 4074 4075 /** 4076 * smack_inet_conn_request - Smack access check on connect 4077 * @sk: socket involved 4078 * @skb: packet 4079 * @req: unused 4080 * 4081 * Returns 0 if a task with the packet label could write to 4082 * the socket, otherwise an error code 4083 */ 4084 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4085 struct request_sock *req) 4086 { 4087 u16 family = sk->sk_family; 4088 struct smack_known *skp; 4089 struct socket_smack *ssp = sk->sk_security; 4090 struct netlbl_lsm_secattr secattr; 4091 struct sockaddr_in addr; 4092 struct iphdr *hdr; 4093 struct smack_known *hskp; 4094 int rc; 4095 struct smk_audit_info ad; 4096 #ifdef CONFIG_AUDIT 4097 struct lsm_network_audit net; 4098 #endif 4099 4100 #if IS_ENABLED(CONFIG_IPV6) 4101 if (family == PF_INET6) { 4102 /* 4103 * Handle mapped IPv4 packets arriving 4104 * via IPv6 sockets. Don't set up netlabel 4105 * processing on IPv6. 4106 */ 4107 if (skb->protocol == htons(ETH_P_IP)) 4108 family = PF_INET; 4109 else 4110 return 0; 4111 } 4112 #endif /* CONFIG_IPV6 */ 4113 4114 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4115 /* 4116 * If there is a secmark use it rather than the CIPSO label. 4117 * If there is no secmark fall back to CIPSO. 4118 * The secmark is assumed to reflect policy better. 4119 */ 4120 if (skb && skb->secmark != 0) { 4121 skp = smack_from_secid(skb->secmark); 4122 goto access_check; 4123 } 4124 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4125 4126 netlbl_secattr_init(&secattr); 4127 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4128 if (rc == 0) 4129 skp = smack_from_secattr(&secattr, ssp); 4130 else 4131 skp = &smack_known_huh; 4132 netlbl_secattr_destroy(&secattr); 4133 4134 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4135 access_check: 4136 #endif 4137 4138 #ifdef CONFIG_AUDIT 4139 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4140 ad.a.u.net->family = family; 4141 ad.a.u.net->netif = skb->skb_iif; 4142 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4143 #endif 4144 /* 4145 * Receiving a packet requires that the other end be able to write 4146 * here. Read access is not required. 4147 */ 4148 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4149 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4150 if (rc != 0) 4151 return rc; 4152 4153 /* 4154 * Save the peer's label in the request_sock so we can later setup 4155 * smk_packet in the child socket so that SO_PEERCRED can report it. 4156 */ 4157 req->peer_secid = skp->smk_secid; 4158 4159 /* 4160 * We need to decide if we want to label the incoming connection here 4161 * if we do we only need to label the request_sock and the stack will 4162 * propagate the wire-label to the sock when it is created. 4163 */ 4164 hdr = ip_hdr(skb); 4165 addr.sin_addr.s_addr = hdr->saddr; 4166 rcu_read_lock(); 4167 hskp = smack_ipv4host_label(&addr); 4168 rcu_read_unlock(); 4169 4170 if (hskp == NULL) 4171 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4172 else 4173 netlbl_req_delattr(req); 4174 4175 return rc; 4176 } 4177 4178 /** 4179 * smack_inet_csk_clone - Copy the connection information to the new socket 4180 * @sk: the new socket 4181 * @req: the connection's request_sock 4182 * 4183 * Transfer the connection's peer label to the newly created socket. 4184 */ 4185 static void smack_inet_csk_clone(struct sock *sk, 4186 const struct request_sock *req) 4187 { 4188 struct socket_smack *ssp = sk->sk_security; 4189 struct smack_known *skp; 4190 4191 if (req->peer_secid != 0) { 4192 skp = smack_from_secid(req->peer_secid); 4193 ssp->smk_packet = skp; 4194 } else 4195 ssp->smk_packet = NULL; 4196 } 4197 4198 /* 4199 * Key management security hooks 4200 * 4201 * Casey has not tested key support very heavily. 4202 * The permission check is most likely too restrictive. 4203 * If you care about keys please have a look. 4204 */ 4205 #ifdef CONFIG_KEYS 4206 4207 /** 4208 * smack_key_alloc - Set the key security blob 4209 * @key: object 4210 * @cred: the credentials to use 4211 * @flags: unused 4212 * 4213 * No allocation required 4214 * 4215 * Returns 0 4216 */ 4217 static int smack_key_alloc(struct key *key, const struct cred *cred, 4218 unsigned long flags) 4219 { 4220 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4221 4222 key->security = skp; 4223 return 0; 4224 } 4225 4226 /** 4227 * smack_key_free - Clear the key security blob 4228 * @key: the object 4229 * 4230 * Clear the blob pointer 4231 */ 4232 static void smack_key_free(struct key *key) 4233 { 4234 key->security = NULL; 4235 } 4236 4237 /** 4238 * smack_key_permission - Smack access on a key 4239 * @key_ref: gets to the object 4240 * @cred: the credentials to use 4241 * @perm: requested key permissions 4242 * 4243 * Return 0 if the task has read and write to the object, 4244 * an error code otherwise 4245 */ 4246 static int smack_key_permission(key_ref_t key_ref, 4247 const struct cred *cred, unsigned perm) 4248 { 4249 struct key *keyp; 4250 struct smk_audit_info ad; 4251 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4252 int request = 0; 4253 int rc; 4254 4255 /* 4256 * Validate requested permissions 4257 */ 4258 if (perm & ~KEY_NEED_ALL) 4259 return -EINVAL; 4260 4261 keyp = key_ref_to_ptr(key_ref); 4262 if (keyp == NULL) 4263 return -EINVAL; 4264 /* 4265 * If the key hasn't been initialized give it access so that 4266 * it may do so. 4267 */ 4268 if (keyp->security == NULL) 4269 return 0; 4270 /* 4271 * This should not occur 4272 */ 4273 if (tkp == NULL) 4274 return -EACCES; 4275 4276 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4277 return 0; 4278 4279 #ifdef CONFIG_AUDIT 4280 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4281 ad.a.u.key_struct.key = keyp->serial; 4282 ad.a.u.key_struct.key_desc = keyp->description; 4283 #endif 4284 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4285 request |= MAY_READ; 4286 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4287 request |= MAY_WRITE; 4288 rc = smk_access(tkp, keyp->security, request, &ad); 4289 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4290 return rc; 4291 } 4292 4293 /* 4294 * smack_key_getsecurity - Smack label tagging the key 4295 * @key points to the key to be queried 4296 * @_buffer points to a pointer that should be set to point to the 4297 * resulting string (if no label or an error occurs). 4298 * Return the length of the string (including terminating NUL) or -ve if 4299 * an error. 4300 * May also return 0 (and a NULL buffer pointer) if there is no label. 4301 */ 4302 static int smack_key_getsecurity(struct key *key, char **_buffer) 4303 { 4304 struct smack_known *skp = key->security; 4305 size_t length; 4306 char *copy; 4307 4308 if (key->security == NULL) { 4309 *_buffer = NULL; 4310 return 0; 4311 } 4312 4313 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4314 if (copy == NULL) 4315 return -ENOMEM; 4316 length = strlen(copy) + 1; 4317 4318 *_buffer = copy; 4319 return length; 4320 } 4321 4322 #endif /* CONFIG_KEYS */ 4323 4324 /* 4325 * Smack Audit hooks 4326 * 4327 * Audit requires a unique representation of each Smack specific 4328 * rule. This unique representation is used to distinguish the 4329 * object to be audited from remaining kernel objects and also 4330 * works as a glue between the audit hooks. 4331 * 4332 * Since repository entries are added but never deleted, we'll use 4333 * the smack_known label address related to the given audit rule as 4334 * the needed unique representation. This also better fits the smack 4335 * model where nearly everything is a label. 4336 */ 4337 #ifdef CONFIG_AUDIT 4338 4339 /** 4340 * smack_audit_rule_init - Initialize a smack audit rule 4341 * @field: audit rule fields given from user-space (audit.h) 4342 * @op: required testing operator (=, !=, >, <, ...) 4343 * @rulestr: smack label to be audited 4344 * @vrule: pointer to save our own audit rule representation 4345 * 4346 * Prepare to audit cases where (@field @op @rulestr) is true. 4347 * The label to be audited is created if necessay. 4348 */ 4349 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4350 { 4351 struct smack_known *skp; 4352 char **rule = (char **)vrule; 4353 *rule = NULL; 4354 4355 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4356 return -EINVAL; 4357 4358 if (op != Audit_equal && op != Audit_not_equal) 4359 return -EINVAL; 4360 4361 skp = smk_import_entry(rulestr, 0); 4362 if (IS_ERR(skp)) 4363 return PTR_ERR(skp); 4364 4365 *rule = skp->smk_known; 4366 4367 return 0; 4368 } 4369 4370 /** 4371 * smack_audit_rule_known - Distinguish Smack audit rules 4372 * @krule: rule of interest, in Audit kernel representation format 4373 * 4374 * This is used to filter Smack rules from remaining Audit ones. 4375 * If it's proved that this rule belongs to us, the 4376 * audit_rule_match hook will be called to do the final judgement. 4377 */ 4378 static int smack_audit_rule_known(struct audit_krule *krule) 4379 { 4380 struct audit_field *f; 4381 int i; 4382 4383 for (i = 0; i < krule->field_count; i++) { 4384 f = &krule->fields[i]; 4385 4386 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4387 return 1; 4388 } 4389 4390 return 0; 4391 } 4392 4393 /** 4394 * smack_audit_rule_match - Audit given object ? 4395 * @secid: security id for identifying the object to test 4396 * @field: audit rule flags given from user-space 4397 * @op: required testing operator 4398 * @vrule: smack internal rule presentation 4399 * 4400 * The core Audit hook. It's used to take the decision of 4401 * whether to audit or not to audit a given object. 4402 */ 4403 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4404 { 4405 struct smack_known *skp; 4406 char *rule = vrule; 4407 4408 if (unlikely(!rule)) { 4409 WARN_ONCE(1, "Smack: missing rule\n"); 4410 return -ENOENT; 4411 } 4412 4413 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4414 return 0; 4415 4416 skp = smack_from_secid(secid); 4417 4418 /* 4419 * No need to do string comparisons. If a match occurs, 4420 * both pointers will point to the same smack_known 4421 * label. 4422 */ 4423 if (op == Audit_equal) 4424 return (rule == skp->smk_known); 4425 if (op == Audit_not_equal) 4426 return (rule != skp->smk_known); 4427 4428 return 0; 4429 } 4430 4431 /* 4432 * There is no need for a smack_audit_rule_free hook. 4433 * No memory was allocated. 4434 */ 4435 4436 #endif /* CONFIG_AUDIT */ 4437 4438 /** 4439 * smack_ismaclabel - check if xattr @name references a smack MAC label 4440 * @name: Full xattr name to check. 4441 */ 4442 static int smack_ismaclabel(const char *name) 4443 { 4444 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4445 } 4446 4447 4448 /** 4449 * smack_secid_to_secctx - return the smack label for a secid 4450 * @secid: incoming integer 4451 * @secdata: destination 4452 * @seclen: how long it is 4453 * 4454 * Exists for networking code. 4455 */ 4456 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4457 { 4458 struct smack_known *skp = smack_from_secid(secid); 4459 4460 if (secdata) 4461 *secdata = skp->smk_known; 4462 *seclen = strlen(skp->smk_known); 4463 return 0; 4464 } 4465 4466 /** 4467 * smack_secctx_to_secid - return the secid for a smack label 4468 * @secdata: smack label 4469 * @seclen: how long result is 4470 * @secid: outgoing integer 4471 * 4472 * Exists for audit and networking code. 4473 */ 4474 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4475 { 4476 struct smack_known *skp = smk_find_entry(secdata); 4477 4478 if (skp) 4479 *secid = skp->smk_secid; 4480 else 4481 *secid = 0; 4482 return 0; 4483 } 4484 4485 /* 4486 * There used to be a smack_release_secctx hook 4487 * that did nothing back when hooks were in a vector. 4488 * Now that there's a list such a hook adds cost. 4489 */ 4490 4491 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4492 { 4493 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4494 } 4495 4496 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4497 { 4498 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4499 } 4500 4501 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4502 { 4503 struct smack_known *skp = smk_of_inode(inode); 4504 4505 *ctx = skp->smk_known; 4506 *ctxlen = strlen(skp->smk_known); 4507 return 0; 4508 } 4509 4510 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4511 { 4512 4513 struct task_smack *tsp; 4514 struct smack_known *skp; 4515 struct inode_smack *isp; 4516 struct cred *new_creds = *new; 4517 4518 if (new_creds == NULL) { 4519 new_creds = prepare_creds(); 4520 if (new_creds == NULL) 4521 return -ENOMEM; 4522 } 4523 4524 tsp = smack_cred(new_creds); 4525 4526 /* 4527 * Get label from overlay inode and set it in create_sid 4528 */ 4529 isp = smack_inode(d_inode(dentry->d_parent)); 4530 skp = isp->smk_inode; 4531 tsp->smk_task = skp; 4532 *new = new_creds; 4533 return 0; 4534 } 4535 4536 static int smack_inode_copy_up_xattr(const char *name) 4537 { 4538 /* 4539 * Return 1 if this is the smack access Smack attribute. 4540 */ 4541 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4542 return 1; 4543 4544 return -EOPNOTSUPP; 4545 } 4546 4547 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4548 struct qstr *name, 4549 const struct cred *old, 4550 struct cred *new) 4551 { 4552 struct task_smack *otsp = smack_cred(old); 4553 struct task_smack *ntsp = smack_cred(new); 4554 struct inode_smack *isp; 4555 int may; 4556 4557 /* 4558 * Use the process credential unless all of 4559 * the transmuting criteria are met 4560 */ 4561 ntsp->smk_task = otsp->smk_task; 4562 4563 /* 4564 * the attribute of the containing directory 4565 */ 4566 isp = smack_inode(d_inode(dentry->d_parent)); 4567 4568 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4569 rcu_read_lock(); 4570 may = smk_access_entry(otsp->smk_task->smk_known, 4571 isp->smk_inode->smk_known, 4572 &otsp->smk_task->smk_rules); 4573 rcu_read_unlock(); 4574 4575 /* 4576 * If the directory is transmuting and the rule 4577 * providing access is transmuting use the containing 4578 * directory label instead of the process label. 4579 */ 4580 if (may > 0 && (may & MAY_TRANSMUTE)) 4581 ntsp->smk_task = isp->smk_inode; 4582 } 4583 return 0; 4584 } 4585 4586 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4587 .lbs_cred = sizeof(struct task_smack), 4588 .lbs_file = sizeof(struct smack_known *), 4589 .lbs_inode = sizeof(struct inode_smack), 4590 .lbs_ipc = sizeof(struct smack_known *), 4591 .lbs_msg_msg = sizeof(struct smack_known *), 4592 }; 4593 4594 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4595 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4596 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4597 LSM_HOOK_INIT(syslog, smack_syslog), 4598 4599 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4600 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4601 4602 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4603 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4604 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4605 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4606 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4607 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4608 4609 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4610 4611 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4612 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4613 LSM_HOOK_INIT(inode_link, smack_inode_link), 4614 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4615 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4616 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4617 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4618 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4619 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4620 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4621 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4622 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4623 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4624 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4625 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4626 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4627 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4628 4629 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4630 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4631 LSM_HOOK_INIT(file_lock, smack_file_lock), 4632 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4633 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4634 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4635 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4636 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4637 LSM_HOOK_INIT(file_receive, smack_file_receive), 4638 4639 LSM_HOOK_INIT(file_open, smack_file_open), 4640 4641 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4642 LSM_HOOK_INIT(cred_free, smack_cred_free), 4643 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4644 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4645 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4646 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4647 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4648 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4649 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4650 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4651 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4652 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4653 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4654 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4655 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4656 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4657 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4658 LSM_HOOK_INIT(task_kill, smack_task_kill), 4659 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4660 4661 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4662 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4663 4664 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4665 4666 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4667 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4668 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4669 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4670 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4671 4672 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4673 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4674 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4675 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4676 4677 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4678 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4679 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4680 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4681 4682 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4683 4684 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4685 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4686 4687 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4688 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4689 4690 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4691 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4692 #ifdef SMACK_IPV6_PORT_LABELING 4693 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4694 #endif 4695 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4696 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4697 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4698 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4699 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4700 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4701 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4702 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4703 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4704 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4705 4706 /* key management security hooks */ 4707 #ifdef CONFIG_KEYS 4708 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4709 LSM_HOOK_INIT(key_free, smack_key_free), 4710 LSM_HOOK_INIT(key_permission, smack_key_permission), 4711 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4712 #endif /* CONFIG_KEYS */ 4713 4714 /* Audit hooks */ 4715 #ifdef CONFIG_AUDIT 4716 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4717 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4718 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4719 #endif /* CONFIG_AUDIT */ 4720 4721 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4722 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4723 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4724 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4725 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4726 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4727 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4728 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4729 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4730 }; 4731 4732 4733 static __init void init_smack_known_list(void) 4734 { 4735 /* 4736 * Initialize rule list locks 4737 */ 4738 mutex_init(&smack_known_huh.smk_rules_lock); 4739 mutex_init(&smack_known_hat.smk_rules_lock); 4740 mutex_init(&smack_known_floor.smk_rules_lock); 4741 mutex_init(&smack_known_star.smk_rules_lock); 4742 mutex_init(&smack_known_web.smk_rules_lock); 4743 /* 4744 * Initialize rule lists 4745 */ 4746 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4747 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4748 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4749 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4750 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4751 /* 4752 * Create the known labels list 4753 */ 4754 smk_insert_entry(&smack_known_huh); 4755 smk_insert_entry(&smack_known_hat); 4756 smk_insert_entry(&smack_known_star); 4757 smk_insert_entry(&smack_known_floor); 4758 smk_insert_entry(&smack_known_web); 4759 } 4760 4761 /** 4762 * smack_init - initialize the smack system 4763 * 4764 * Returns 0 on success, -ENOMEM is there's no memory 4765 */ 4766 static __init int smack_init(void) 4767 { 4768 struct cred *cred = (struct cred *) current->cred; 4769 struct task_smack *tsp; 4770 4771 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4772 if (!smack_inode_cache) 4773 return -ENOMEM; 4774 4775 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4776 if (!smack_rule_cache) { 4777 kmem_cache_destroy(smack_inode_cache); 4778 return -ENOMEM; 4779 } 4780 4781 /* 4782 * Set the security state for the initial task. 4783 */ 4784 tsp = smack_cred(cred); 4785 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4786 4787 /* 4788 * Register with LSM 4789 */ 4790 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4791 smack_enabled = 1; 4792 4793 pr_info("Smack: Initializing.\n"); 4794 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4795 pr_info("Smack: Netfilter enabled.\n"); 4796 #endif 4797 #ifdef SMACK_IPV6_PORT_LABELING 4798 pr_info("Smack: IPv6 port labeling enabled.\n"); 4799 #endif 4800 #ifdef SMACK_IPV6_SECMARK_LABELING 4801 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4802 #endif 4803 4804 /* initialize the smack_known_list */ 4805 init_smack_known_list(); 4806 4807 return 0; 4808 } 4809 4810 /* 4811 * Smack requires early initialization in order to label 4812 * all processes and objects when they are created. 4813 */ 4814 DEFINE_LSM(smack) = { 4815 .name = "smack", 4816 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4817 .blobs = &smack_blob_sizes, 4818 .init = smack_init, 4819 }; 4820