1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 int i = 0; 111 112 if (mode & MAY_READ) 113 s[i++] = 'r'; 114 if (mode & MAY_WRITE) 115 s[i++] = 'w'; 116 if (mode & MAY_EXEC) 117 s[i++] = 'x'; 118 if (mode & MAY_APPEND) 119 s[i++] = 'a'; 120 if (mode & MAY_TRANSMUTE) 121 s[i++] = 't'; 122 if (mode & MAY_LOCK) 123 s[i++] = 'l'; 124 if (i == 0) 125 s[i++] = '-'; 126 s[i] = '\0'; 127 } 128 #endif 129 130 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 131 static int smk_bu_note(char *note, struct smack_known *sskp, 132 struct smack_known *oskp, int mode, int rc) 133 { 134 char acc[SMK_NUM_ACCESS_TYPE + 1]; 135 136 if (rc <= 0) 137 return rc; 138 if (rc > SMACK_UNCONFINED_OBJECT) 139 rc = 0; 140 141 smk_bu_mode(mode, acc); 142 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 143 sskp->smk_known, oskp->smk_known, acc, note); 144 return 0; 145 } 146 #else 147 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 148 #endif 149 150 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 151 static int smk_bu_current(char *note, struct smack_known *oskp, 152 int mode, int rc) 153 { 154 struct task_smack *tsp = smack_cred(current_cred()); 155 char acc[SMK_NUM_ACCESS_TYPE + 1]; 156 157 if (rc <= 0) 158 return rc; 159 if (rc > SMACK_UNCONFINED_OBJECT) 160 rc = 0; 161 162 smk_bu_mode(mode, acc); 163 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 164 tsp->smk_task->smk_known, oskp->smk_known, 165 acc, current->comm, note); 166 return 0; 167 } 168 #else 169 #define smk_bu_current(note, oskp, mode, RC) (RC) 170 #endif 171 172 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 173 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 174 { 175 struct task_smack *tsp = smack_cred(current_cred()); 176 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 177 char acc[SMK_NUM_ACCESS_TYPE + 1]; 178 179 if (rc <= 0) 180 return rc; 181 if (rc > SMACK_UNCONFINED_OBJECT) 182 rc = 0; 183 184 smk_bu_mode(mode, acc); 185 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 186 tsp->smk_task->smk_known, smk_task->smk_known, acc, 187 current->comm, otp->comm); 188 return 0; 189 } 190 #else 191 #define smk_bu_task(otp, mode, RC) (RC) 192 #endif 193 194 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 195 static int smk_bu_inode(struct inode *inode, int mode, int rc) 196 { 197 struct task_smack *tsp = smack_cred(current_cred()); 198 struct inode_smack *isp = smack_inode(inode); 199 char acc[SMK_NUM_ACCESS_TYPE + 1]; 200 201 if (isp->smk_flags & SMK_INODE_IMPURE) 202 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 203 inode->i_sb->s_id, inode->i_ino, current->comm); 204 205 if (rc <= 0) 206 return rc; 207 if (rc > SMACK_UNCONFINED_OBJECT) 208 rc = 0; 209 if (rc == SMACK_UNCONFINED_SUBJECT && 210 (mode & (MAY_WRITE | MAY_APPEND))) 211 isp->smk_flags |= SMK_INODE_IMPURE; 212 213 smk_bu_mode(mode, acc); 214 215 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 216 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 217 inode->i_sb->s_id, inode->i_ino, current->comm); 218 return 0; 219 } 220 #else 221 #define smk_bu_inode(inode, mode, RC) (RC) 222 #endif 223 224 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 225 static int smk_bu_file(struct file *file, int mode, int rc) 226 { 227 struct task_smack *tsp = smack_cred(current_cred()); 228 struct smack_known *sskp = tsp->smk_task; 229 struct inode *inode = file_inode(file); 230 struct inode_smack *isp = smack_inode(inode); 231 char acc[SMK_NUM_ACCESS_TYPE + 1]; 232 233 if (isp->smk_flags & SMK_INODE_IMPURE) 234 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 235 inode->i_sb->s_id, inode->i_ino, current->comm); 236 237 if (rc <= 0) 238 return rc; 239 if (rc > SMACK_UNCONFINED_OBJECT) 240 rc = 0; 241 242 smk_bu_mode(mode, acc); 243 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 244 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 245 inode->i_sb->s_id, inode->i_ino, file, 246 current->comm); 247 return 0; 248 } 249 #else 250 #define smk_bu_file(file, mode, RC) (RC) 251 #endif 252 253 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 254 static int smk_bu_credfile(const struct cred *cred, struct file *file, 255 int mode, int rc) 256 { 257 struct task_smack *tsp = smack_cred(cred); 258 struct smack_known *sskp = tsp->smk_task; 259 struct inode *inode = file_inode(file); 260 struct inode_smack *isp = smack_inode(inode); 261 char acc[SMK_NUM_ACCESS_TYPE + 1]; 262 263 if (isp->smk_flags & SMK_INODE_IMPURE) 264 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 265 inode->i_sb->s_id, inode->i_ino, current->comm); 266 267 if (rc <= 0) 268 return rc; 269 if (rc > SMACK_UNCONFINED_OBJECT) 270 rc = 0; 271 272 smk_bu_mode(mode, acc); 273 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 274 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 275 inode->i_sb->s_id, inode->i_ino, file, 276 current->comm); 277 return 0; 278 } 279 #else 280 #define smk_bu_credfile(cred, file, mode, RC) (RC) 281 #endif 282 283 /** 284 * smk_fetch - Fetch the smack label from a file. 285 * @name: type of the label (attribute) 286 * @ip: a pointer to the inode 287 * @dp: a pointer to the dentry 288 * 289 * Returns a pointer to the master list entry for the Smack label, 290 * NULL if there was no label to fetch, or an error code. 291 */ 292 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 293 struct dentry *dp) 294 { 295 int rc; 296 char *buffer; 297 struct smack_known *skp = NULL; 298 299 if (!(ip->i_opflags & IOP_XATTR)) 300 return ERR_PTR(-EOPNOTSUPP); 301 302 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 303 if (buffer == NULL) 304 return ERR_PTR(-ENOMEM); 305 306 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 307 if (rc < 0) 308 skp = ERR_PTR(rc); 309 else if (rc == 0) 310 skp = NULL; 311 else 312 skp = smk_import_entry(buffer, rc); 313 314 kfree(buffer); 315 316 return skp; 317 } 318 319 /** 320 * init_inode_smack - initialize an inode security blob 321 * @inode: inode to extract the info from 322 * @skp: a pointer to the Smack label entry to use in the blob 323 * 324 */ 325 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 326 { 327 struct inode_smack *isp = smack_inode(inode); 328 329 isp->smk_inode = skp; 330 isp->smk_flags = 0; 331 } 332 333 /** 334 * init_task_smack - initialize a task security blob 335 * @tsp: blob to initialize 336 * @task: a pointer to the Smack label for the running task 337 * @forked: a pointer to the Smack label for the forked task 338 * 339 */ 340 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 341 struct smack_known *forked) 342 { 343 tsp->smk_task = task; 344 tsp->smk_forked = forked; 345 INIT_LIST_HEAD(&tsp->smk_rules); 346 INIT_LIST_HEAD(&tsp->smk_relabel); 347 mutex_init(&tsp->smk_rules_lock); 348 } 349 350 /** 351 * smk_copy_rules - copy a rule set 352 * @nhead: new rules header pointer 353 * @ohead: old rules header pointer 354 * @gfp: type of the memory for the allocation 355 * 356 * Returns 0 on success, -ENOMEM on error 357 */ 358 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 359 gfp_t gfp) 360 { 361 struct smack_rule *nrp; 362 struct smack_rule *orp; 363 int rc = 0; 364 365 list_for_each_entry_rcu(orp, ohead, list) { 366 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 367 if (nrp == NULL) { 368 rc = -ENOMEM; 369 break; 370 } 371 *nrp = *orp; 372 list_add_rcu(&nrp->list, nhead); 373 } 374 return rc; 375 } 376 377 /** 378 * smk_copy_relabel - copy smk_relabel labels list 379 * @nhead: new rules header pointer 380 * @ohead: old rules header pointer 381 * @gfp: type of the memory for the allocation 382 * 383 * Returns 0 on success, -ENOMEM on error 384 */ 385 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 386 gfp_t gfp) 387 { 388 struct smack_known_list_elem *nklep; 389 struct smack_known_list_elem *oklep; 390 391 list_for_each_entry(oklep, ohead, list) { 392 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 393 if (nklep == NULL) { 394 smk_destroy_label_list(nhead); 395 return -ENOMEM; 396 } 397 nklep->smk_label = oklep->smk_label; 398 list_add(&nklep->list, nhead); 399 } 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 406 * @mode: input mode in form of PTRACE_MODE_* 407 * 408 * Returns a converted MAY_* mode usable by smack rules 409 */ 410 static inline unsigned int smk_ptrace_mode(unsigned int mode) 411 { 412 if (mode & PTRACE_MODE_ATTACH) 413 return MAY_READWRITE; 414 if (mode & PTRACE_MODE_READ) 415 return MAY_READ; 416 417 return 0; 418 } 419 420 /** 421 * smk_ptrace_rule_check - helper for ptrace access 422 * @tracer: tracer process 423 * @tracee_known: label entry of the process that's about to be traced 424 * @mode: ptrace attachment mode (PTRACE_MODE_*) 425 * @func: name of the function that called us, used for audit 426 * 427 * Returns 0 on access granted, -error on error 428 */ 429 static int smk_ptrace_rule_check(struct task_struct *tracer, 430 struct smack_known *tracee_known, 431 unsigned int mode, const char *func) 432 { 433 int rc; 434 struct smk_audit_info ad, *saip = NULL; 435 struct task_smack *tsp; 436 struct smack_known *tracer_known; 437 const struct cred *tracercred; 438 439 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 440 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 441 smk_ad_setfield_u_tsk(&ad, tracer); 442 saip = &ad; 443 } 444 445 rcu_read_lock(); 446 tracercred = __task_cred(tracer); 447 tsp = smack_cred(tracercred); 448 tracer_known = smk_of_task(tsp); 449 450 if ((mode & PTRACE_MODE_ATTACH) && 451 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 452 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 453 if (tracer_known->smk_known == tracee_known->smk_known) 454 rc = 0; 455 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 456 rc = -EACCES; 457 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 458 rc = 0; 459 else 460 rc = -EACCES; 461 462 if (saip) 463 smack_log(tracer_known->smk_known, 464 tracee_known->smk_known, 465 0, rc, saip); 466 467 rcu_read_unlock(); 468 return rc; 469 } 470 471 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 472 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 473 474 rcu_read_unlock(); 475 return rc; 476 } 477 478 /* 479 * LSM hooks. 480 * We he, that is fun! 481 */ 482 483 /** 484 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 485 * @ctp: child task pointer 486 * @mode: ptrace attachment mode (PTRACE_MODE_*) 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks. 491 */ 492 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task_struct_obj(ctp); 497 498 return smk_ptrace_rule_check(current, skp, mode, __func__); 499 } 500 501 /** 502 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 503 * @ptp: parent task pointer 504 * 505 * Returns 0 if access is OK, an error code otherwise 506 * 507 * Do the capability checks, and require PTRACE_MODE_ATTACH. 508 */ 509 static int smack_ptrace_traceme(struct task_struct *ptp) 510 { 511 struct smack_known *skp; 512 513 skp = smk_of_task(smack_cred(current_cred())); 514 515 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 516 } 517 518 /** 519 * smack_syslog - Smack approval on syslog 520 * @typefrom_file: unused 521 * 522 * Returns 0 on success, error code otherwise. 523 */ 524 static int smack_syslog(int typefrom_file) 525 { 526 int rc = 0; 527 struct smack_known *skp = smk_of_current(); 528 529 if (smack_privileged(CAP_MAC_OVERRIDE)) 530 return 0; 531 532 if (smack_syslog_label != NULL && smack_syslog_label != skp) 533 rc = -EACCES; 534 535 return rc; 536 } 537 538 /* 539 * Superblock Hooks. 540 */ 541 542 /** 543 * smack_sb_alloc_security - allocate a superblock blob 544 * @sb: the superblock getting the blob 545 * 546 * Returns 0 on success or -ENOMEM on error. 547 */ 548 static int smack_sb_alloc_security(struct super_block *sb) 549 { 550 struct superblock_smack *sbsp = smack_superblock(sb); 551 552 sbsp->smk_root = &smack_known_floor; 553 sbsp->smk_default = &smack_known_floor; 554 sbsp->smk_floor = &smack_known_floor; 555 sbsp->smk_hat = &smack_known_hat; 556 /* 557 * SMK_SB_INITIALIZED will be zero from kzalloc. 558 */ 559 560 return 0; 561 } 562 563 struct smack_mnt_opts { 564 const char *fsdefault; 565 const char *fsfloor; 566 const char *fshat; 567 const char *fsroot; 568 const char *fstransmute; 569 }; 570 571 static void smack_free_mnt_opts(void *mnt_opts) 572 { 573 kfree(mnt_opts); 574 } 575 576 static int smack_add_opt(int token, const char *s, void **mnt_opts) 577 { 578 struct smack_mnt_opts *opts = *mnt_opts; 579 struct smack_known *skp; 580 581 if (!opts) { 582 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 583 if (!opts) 584 return -ENOMEM; 585 *mnt_opts = opts; 586 } 587 if (!s) 588 return -ENOMEM; 589 590 skp = smk_import_entry(s, 0); 591 if (IS_ERR(skp)) 592 return PTR_ERR(skp); 593 594 switch (token) { 595 case Opt_fsdefault: 596 if (opts->fsdefault) 597 goto out_opt_err; 598 opts->fsdefault = skp->smk_known; 599 break; 600 case Opt_fsfloor: 601 if (opts->fsfloor) 602 goto out_opt_err; 603 opts->fsfloor = skp->smk_known; 604 break; 605 case Opt_fshat: 606 if (opts->fshat) 607 goto out_opt_err; 608 opts->fshat = skp->smk_known; 609 break; 610 case Opt_fsroot: 611 if (opts->fsroot) 612 goto out_opt_err; 613 opts->fsroot = skp->smk_known; 614 break; 615 case Opt_fstransmute: 616 if (opts->fstransmute) 617 goto out_opt_err; 618 opts->fstransmute = skp->smk_known; 619 break; 620 } 621 return 0; 622 623 out_opt_err: 624 pr_warn("Smack: duplicate mount options\n"); 625 return -EINVAL; 626 } 627 628 /** 629 * smack_fs_context_submount - Initialise security data for a filesystem context 630 * @fc: The filesystem context. 631 * @reference: reference superblock 632 * 633 * Returns 0 on success or -ENOMEM on error. 634 */ 635 static int smack_fs_context_submount(struct fs_context *fc, 636 struct super_block *reference) 637 { 638 struct superblock_smack *sbsp; 639 struct smack_mnt_opts *ctx; 640 struct inode_smack *isp; 641 642 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 643 if (!ctx) 644 return -ENOMEM; 645 fc->security = ctx; 646 647 sbsp = smack_superblock(reference); 648 isp = smack_inode(reference->s_root->d_inode); 649 650 if (sbsp->smk_default) { 651 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 652 if (!ctx->fsdefault) 653 return -ENOMEM; 654 } 655 656 if (sbsp->smk_floor) { 657 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 658 if (!ctx->fsfloor) 659 return -ENOMEM; 660 } 661 662 if (sbsp->smk_hat) { 663 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 664 if (!ctx->fshat) 665 return -ENOMEM; 666 } 667 668 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 669 if (sbsp->smk_root) { 670 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 671 if (!ctx->fstransmute) 672 return -ENOMEM; 673 } 674 } 675 return 0; 676 } 677 678 /** 679 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 680 * @fc: The new filesystem context. 681 * @src_fc: The source filesystem context being duplicated. 682 * 683 * Returns 0 on success or -ENOMEM on error. 684 */ 685 static int smack_fs_context_dup(struct fs_context *fc, 686 struct fs_context *src_fc) 687 { 688 struct smack_mnt_opts *dst, *src = src_fc->security; 689 690 if (!src) 691 return 0; 692 693 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 694 if (!fc->security) 695 return -ENOMEM; 696 697 dst = fc->security; 698 dst->fsdefault = src->fsdefault; 699 dst->fsfloor = src->fsfloor; 700 dst->fshat = src->fshat; 701 dst->fsroot = src->fsroot; 702 dst->fstransmute = src->fstransmute; 703 704 return 0; 705 } 706 707 static const struct fs_parameter_spec smack_fs_parameters[] = { 708 fsparam_string("smackfsdef", Opt_fsdefault), 709 fsparam_string("smackfsdefault", Opt_fsdefault), 710 fsparam_string("smackfsfloor", Opt_fsfloor), 711 fsparam_string("smackfshat", Opt_fshat), 712 fsparam_string("smackfsroot", Opt_fsroot), 713 fsparam_string("smackfstransmute", Opt_fstransmute), 714 {} 715 }; 716 717 /** 718 * smack_fs_context_parse_param - Parse a single mount parameter 719 * @fc: The new filesystem context being constructed. 720 * @param: The parameter. 721 * 722 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 723 * error. 724 */ 725 static int smack_fs_context_parse_param(struct fs_context *fc, 726 struct fs_parameter *param) 727 { 728 struct fs_parse_result result; 729 int opt, rc; 730 731 opt = fs_parse(fc, smack_fs_parameters, param, &result); 732 if (opt < 0) 733 return opt; 734 735 rc = smack_add_opt(opt, param->string, &fc->security); 736 if (!rc) 737 param->string = NULL; 738 return rc; 739 } 740 741 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 742 { 743 char *from = options, *to = options; 744 bool first = true; 745 746 while (1) { 747 char *next = strchr(from, ','); 748 int token, len, rc; 749 char *arg = NULL; 750 751 if (next) 752 len = next - from; 753 else 754 len = strlen(from); 755 756 token = match_opt_prefix(from, len, &arg); 757 if (token != Opt_error) { 758 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 759 rc = smack_add_opt(token, arg, mnt_opts); 760 kfree(arg); 761 if (unlikely(rc)) { 762 if (*mnt_opts) 763 smack_free_mnt_opts(*mnt_opts); 764 *mnt_opts = NULL; 765 return rc; 766 } 767 } else { 768 if (!first) { // copy with preceding comma 769 from--; 770 len++; 771 } 772 if (to != from) 773 memmove(to, from, len); 774 to += len; 775 first = false; 776 } 777 if (!from[len]) 778 break; 779 from += len + 1; 780 } 781 *to = '\0'; 782 return 0; 783 } 784 785 /** 786 * smack_set_mnt_opts - set Smack specific mount options 787 * @sb: the file system superblock 788 * @mnt_opts: Smack mount options 789 * @kern_flags: mount option from kernel space or user space 790 * @set_kern_flags: where to store converted mount opts 791 * 792 * Returns 0 on success, an error code on failure 793 * 794 * Allow filesystems with binary mount data to explicitly set Smack mount 795 * labels. 796 */ 797 static int smack_set_mnt_opts(struct super_block *sb, 798 void *mnt_opts, 799 unsigned long kern_flags, 800 unsigned long *set_kern_flags) 801 { 802 struct dentry *root = sb->s_root; 803 struct inode *inode = d_backing_inode(root); 804 struct superblock_smack *sp = smack_superblock(sb); 805 struct inode_smack *isp; 806 struct smack_known *skp; 807 struct smack_mnt_opts *opts = mnt_opts; 808 bool transmute = false; 809 810 if (sp->smk_flags & SMK_SB_INITIALIZED) 811 return 0; 812 813 if (!smack_privileged(CAP_MAC_ADMIN)) { 814 /* 815 * Unprivileged mounts don't get to specify Smack values. 816 */ 817 if (opts) 818 return -EPERM; 819 /* 820 * Unprivileged mounts get root and default from the caller. 821 */ 822 skp = smk_of_current(); 823 sp->smk_root = skp; 824 sp->smk_default = skp; 825 /* 826 * For a handful of fs types with no user-controlled 827 * backing store it's okay to trust security labels 828 * in the filesystem. The rest are untrusted. 829 */ 830 if (sb->s_user_ns != &init_user_ns && 831 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 832 sb->s_magic != RAMFS_MAGIC) { 833 transmute = true; 834 sp->smk_flags |= SMK_SB_UNTRUSTED; 835 } 836 } 837 838 sp->smk_flags |= SMK_SB_INITIALIZED; 839 840 if (opts) { 841 if (opts->fsdefault) { 842 skp = smk_import_entry(opts->fsdefault, 0); 843 if (IS_ERR(skp)) 844 return PTR_ERR(skp); 845 sp->smk_default = skp; 846 } 847 if (opts->fsfloor) { 848 skp = smk_import_entry(opts->fsfloor, 0); 849 if (IS_ERR(skp)) 850 return PTR_ERR(skp); 851 sp->smk_floor = skp; 852 } 853 if (opts->fshat) { 854 skp = smk_import_entry(opts->fshat, 0); 855 if (IS_ERR(skp)) 856 return PTR_ERR(skp); 857 sp->smk_hat = skp; 858 } 859 if (opts->fsroot) { 860 skp = smk_import_entry(opts->fsroot, 0); 861 if (IS_ERR(skp)) 862 return PTR_ERR(skp); 863 sp->smk_root = skp; 864 } 865 if (opts->fstransmute) { 866 skp = smk_import_entry(opts->fstransmute, 0); 867 if (IS_ERR(skp)) 868 return PTR_ERR(skp); 869 sp->smk_root = skp; 870 transmute = true; 871 } 872 } 873 874 /* 875 * Initialize the root inode. 876 */ 877 init_inode_smack(inode, sp->smk_root); 878 879 if (transmute) { 880 isp = smack_inode(inode); 881 isp->smk_flags |= SMK_INODE_TRANSMUTE; 882 } 883 884 return 0; 885 } 886 887 /** 888 * smack_sb_statfs - Smack check on statfs 889 * @dentry: identifies the file system in question 890 * 891 * Returns 0 if current can read the floor of the filesystem, 892 * and error code otherwise 893 */ 894 static int smack_sb_statfs(struct dentry *dentry) 895 { 896 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 897 int rc; 898 struct smk_audit_info ad; 899 900 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 901 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 902 903 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 904 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 905 return rc; 906 } 907 908 /* 909 * BPRM hooks 910 */ 911 912 /** 913 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 914 * @bprm: the exec information 915 * 916 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 917 */ 918 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 919 { 920 struct inode *inode = file_inode(bprm->file); 921 struct task_smack *bsp = smack_cred(bprm->cred); 922 struct inode_smack *isp; 923 struct superblock_smack *sbsp; 924 int rc; 925 926 isp = smack_inode(inode); 927 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 928 return 0; 929 930 sbsp = smack_superblock(inode->i_sb); 931 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 932 isp->smk_task != sbsp->smk_root) 933 return 0; 934 935 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 936 struct task_struct *tracer; 937 rc = 0; 938 939 rcu_read_lock(); 940 tracer = ptrace_parent(current); 941 if (likely(tracer != NULL)) 942 rc = smk_ptrace_rule_check(tracer, 943 isp->smk_task, 944 PTRACE_MODE_ATTACH, 945 __func__); 946 rcu_read_unlock(); 947 948 if (rc != 0) 949 return rc; 950 } 951 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 952 return -EPERM; 953 954 bsp->smk_task = isp->smk_task; 955 bprm->per_clear |= PER_CLEAR_ON_SETID; 956 957 /* Decide if this is a secure exec. */ 958 if (bsp->smk_task != bsp->smk_forked) 959 bprm->secureexec = 1; 960 961 return 0; 962 } 963 964 /* 965 * Inode hooks 966 */ 967 968 /** 969 * smack_inode_alloc_security - allocate an inode blob 970 * @inode: the inode in need of a blob 971 * 972 * Returns 0 973 */ 974 static int smack_inode_alloc_security(struct inode *inode) 975 { 976 struct smack_known *skp = smk_of_current(); 977 978 init_inode_smack(inode, skp); 979 return 0; 980 } 981 982 /** 983 * smack_inode_init_security - copy out the smack from an inode 984 * @inode: the newly created inode 985 * @dir: containing directory object 986 * @qstr: unused 987 * @xattrs: where to put the attributes 988 * @xattr_count: current number of LSM-provided xattrs (updated) 989 * 990 * Returns 0 if it all works out, -ENOMEM if there's no memory 991 */ 992 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 993 const struct qstr *qstr, 994 struct xattr *xattrs, int *xattr_count) 995 { 996 struct task_smack *tsp = smack_cred(current_cred()); 997 struct inode_smack *issp = smack_inode(inode); 998 struct smack_known *skp = smk_of_task(tsp); 999 struct smack_known *isp = smk_of_inode(inode); 1000 struct smack_known *dsp = smk_of_inode(dir); 1001 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 1002 int may; 1003 1004 /* 1005 * If equal, transmuting already occurred in 1006 * smack_dentry_create_files_as(). No need to check again. 1007 */ 1008 if (tsp->smk_task != tsp->smk_transmuted) { 1009 rcu_read_lock(); 1010 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1011 &skp->smk_rules); 1012 rcu_read_unlock(); 1013 } 1014 1015 /* 1016 * In addition to having smk_task equal to smk_transmuted, 1017 * if the access rule allows transmutation and the directory 1018 * requests transmutation then by all means transmute. 1019 * Mark the inode as changed. 1020 */ 1021 if ((tsp->smk_task == tsp->smk_transmuted) || 1022 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1023 smk_inode_transmutable(dir))) { 1024 struct xattr *xattr_transmute; 1025 1026 /* 1027 * The caller of smack_dentry_create_files_as() 1028 * should have overridden the current cred, so the 1029 * inode label was already set correctly in 1030 * smack_inode_alloc_security(). 1031 */ 1032 if (tsp->smk_task != tsp->smk_transmuted) 1033 isp = issp->smk_inode = dsp; 1034 1035 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1036 xattr_transmute = lsm_get_xattr_slot(xattrs, 1037 xattr_count); 1038 if (xattr_transmute) { 1039 xattr_transmute->value = kmemdup(TRANS_TRUE, 1040 TRANS_TRUE_SIZE, 1041 GFP_NOFS); 1042 if (!xattr_transmute->value) 1043 return -ENOMEM; 1044 1045 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1046 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1047 } 1048 } 1049 1050 issp->smk_flags |= SMK_INODE_INSTANT; 1051 1052 if (xattr) { 1053 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1054 if (!xattr->value) 1055 return -ENOMEM; 1056 1057 xattr->value_len = strlen(isp->smk_known); 1058 xattr->name = XATTR_SMACK_SUFFIX; 1059 } 1060 1061 return 0; 1062 } 1063 1064 /** 1065 * smack_inode_link - Smack check on link 1066 * @old_dentry: the existing object 1067 * @dir: unused 1068 * @new_dentry: the new object 1069 * 1070 * Returns 0 if access is permitted, an error code otherwise 1071 */ 1072 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1073 struct dentry *new_dentry) 1074 { 1075 struct smack_known *isp; 1076 struct smk_audit_info ad; 1077 int rc; 1078 1079 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1080 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1081 1082 isp = smk_of_inode(d_backing_inode(old_dentry)); 1083 rc = smk_curacc(isp, MAY_WRITE, &ad); 1084 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1085 1086 if (rc == 0 && d_is_positive(new_dentry)) { 1087 isp = smk_of_inode(d_backing_inode(new_dentry)); 1088 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1089 rc = smk_curacc(isp, MAY_WRITE, &ad); 1090 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1091 } 1092 1093 return rc; 1094 } 1095 1096 /** 1097 * smack_inode_unlink - Smack check on inode deletion 1098 * @dir: containing directory object 1099 * @dentry: file to unlink 1100 * 1101 * Returns 0 if current can write the containing directory 1102 * and the object, error code otherwise 1103 */ 1104 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1105 { 1106 struct inode *ip = d_backing_inode(dentry); 1107 struct smk_audit_info ad; 1108 int rc; 1109 1110 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1111 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1112 1113 /* 1114 * You need write access to the thing you're unlinking 1115 */ 1116 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1118 if (rc == 0) { 1119 /* 1120 * You also need write access to the containing directory 1121 */ 1122 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1123 smk_ad_setfield_u_fs_inode(&ad, dir); 1124 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1125 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1126 } 1127 return rc; 1128 } 1129 1130 /** 1131 * smack_inode_rmdir - Smack check on directory deletion 1132 * @dir: containing directory object 1133 * @dentry: directory to unlink 1134 * 1135 * Returns 0 if current can write the containing directory 1136 * and the directory, error code otherwise 1137 */ 1138 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1139 { 1140 struct smk_audit_info ad; 1141 int rc; 1142 1143 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1144 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1145 1146 /* 1147 * You need write access to the thing you're removing 1148 */ 1149 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1151 if (rc == 0) { 1152 /* 1153 * You also need write access to the containing directory 1154 */ 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1156 smk_ad_setfield_u_fs_inode(&ad, dir); 1157 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1158 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1159 } 1160 1161 return rc; 1162 } 1163 1164 /** 1165 * smack_inode_rename - Smack check on rename 1166 * @old_inode: unused 1167 * @old_dentry: the old object 1168 * @new_inode: unused 1169 * @new_dentry: the new object 1170 * 1171 * Read and write access is required on both the old and 1172 * new directories. 1173 * 1174 * Returns 0 if access is permitted, an error code otherwise 1175 */ 1176 static int smack_inode_rename(struct inode *old_inode, 1177 struct dentry *old_dentry, 1178 struct inode *new_inode, 1179 struct dentry *new_dentry) 1180 { 1181 int rc; 1182 struct smack_known *isp; 1183 struct smk_audit_info ad; 1184 1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1186 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1187 1188 isp = smk_of_inode(d_backing_inode(old_dentry)); 1189 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1190 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1191 1192 if (rc == 0 && d_is_positive(new_dentry)) { 1193 isp = smk_of_inode(d_backing_inode(new_dentry)); 1194 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1195 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1196 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1197 } 1198 return rc; 1199 } 1200 1201 /** 1202 * smack_inode_permission - Smack version of permission() 1203 * @inode: the inode in question 1204 * @mask: the access requested 1205 * 1206 * This is the important Smack hook. 1207 * 1208 * Returns 0 if access is permitted, an error code otherwise 1209 */ 1210 static int smack_inode_permission(struct inode *inode, int mask) 1211 { 1212 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1213 struct smk_audit_info ad; 1214 int no_block = mask & MAY_NOT_BLOCK; 1215 int rc; 1216 1217 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1218 /* 1219 * No permission to check. Existence test. Yup, it's there. 1220 */ 1221 if (mask == 0) 1222 return 0; 1223 1224 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1225 if (smk_of_inode(inode) != sbsp->smk_root) 1226 return -EACCES; 1227 } 1228 1229 /* May be droppable after audit */ 1230 if (no_block) 1231 return -ECHILD; 1232 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1233 smk_ad_setfield_u_fs_inode(&ad, inode); 1234 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1235 rc = smk_bu_inode(inode, mask, rc); 1236 return rc; 1237 } 1238 1239 /** 1240 * smack_inode_setattr - Smack check for setting attributes 1241 * @idmap: idmap of the mount 1242 * @dentry: the object 1243 * @iattr: for the force flag 1244 * 1245 * Returns 0 if access is permitted, an error code otherwise 1246 */ 1247 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1248 struct iattr *iattr) 1249 { 1250 struct smk_audit_info ad; 1251 int rc; 1252 1253 /* 1254 * Need to allow for clearing the setuid bit. 1255 */ 1256 if (iattr->ia_valid & ATTR_FORCE) 1257 return 0; 1258 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1259 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1260 1261 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1262 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1263 return rc; 1264 } 1265 1266 /** 1267 * smack_inode_getattr - Smack check for getting attributes 1268 * @path: path to extract the info from 1269 * 1270 * Returns 0 if access is permitted, an error code otherwise 1271 */ 1272 static int smack_inode_getattr(const struct path *path) 1273 { 1274 struct smk_audit_info ad; 1275 struct inode *inode = d_backing_inode(path->dentry); 1276 int rc; 1277 1278 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1279 smk_ad_setfield_u_fs_path(&ad, *path); 1280 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1281 rc = smk_bu_inode(inode, MAY_READ, rc); 1282 return rc; 1283 } 1284 1285 /** 1286 * smack_inode_setxattr - Smack check for setting xattrs 1287 * @idmap: idmap of the mount 1288 * @dentry: the object 1289 * @name: name of the attribute 1290 * @value: value of the attribute 1291 * @size: size of the value 1292 * @flags: unused 1293 * 1294 * This protects the Smack attribute explicitly. 1295 * 1296 * Returns 0 if access is permitted, an error code otherwise 1297 */ 1298 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1299 struct dentry *dentry, const char *name, 1300 const void *value, size_t size, int flags) 1301 { 1302 struct smk_audit_info ad; 1303 struct smack_known *skp; 1304 int check_priv = 0; 1305 int check_import = 0; 1306 int check_star = 0; 1307 int rc = 0; 1308 1309 /* 1310 * Check label validity here so import won't fail in post_setxattr 1311 */ 1312 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1313 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1314 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1315 check_priv = 1; 1316 check_import = 1; 1317 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1318 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1319 check_priv = 1; 1320 check_import = 1; 1321 check_star = 1; 1322 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1323 check_priv = 1; 1324 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1325 size != TRANS_TRUE_SIZE || 1326 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1327 rc = -EINVAL; 1328 } else 1329 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1330 1331 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1332 rc = -EPERM; 1333 1334 if (rc == 0 && check_import) { 1335 skp = size ? smk_import_entry(value, size) : NULL; 1336 if (IS_ERR(skp)) 1337 rc = PTR_ERR(skp); 1338 else if (skp == NULL || (check_star && 1339 (skp == &smack_known_star || skp == &smack_known_web))) 1340 rc = -EINVAL; 1341 } 1342 1343 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1344 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1345 1346 if (rc == 0) { 1347 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1348 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1349 } 1350 1351 return rc; 1352 } 1353 1354 /** 1355 * smack_inode_post_setxattr - Apply the Smack update approved above 1356 * @dentry: object 1357 * @name: attribute name 1358 * @value: attribute value 1359 * @size: attribute size 1360 * @flags: unused 1361 * 1362 * Set the pointer in the inode blob to the entry found 1363 * in the master label list. 1364 */ 1365 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1366 const void *value, size_t size, int flags) 1367 { 1368 struct smack_known *skp; 1369 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1370 1371 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1372 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1373 return; 1374 } 1375 1376 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1377 skp = smk_import_entry(value, size); 1378 if (!IS_ERR(skp)) 1379 isp->smk_inode = skp; 1380 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1381 skp = smk_import_entry(value, size); 1382 if (!IS_ERR(skp)) 1383 isp->smk_task = skp; 1384 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1385 skp = smk_import_entry(value, size); 1386 if (!IS_ERR(skp)) 1387 isp->smk_mmap = skp; 1388 } 1389 1390 return; 1391 } 1392 1393 /** 1394 * smack_inode_getxattr - Smack check on getxattr 1395 * @dentry: the object 1396 * @name: unused 1397 * 1398 * Returns 0 if access is permitted, an error code otherwise 1399 */ 1400 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1401 { 1402 struct smk_audit_info ad; 1403 int rc; 1404 1405 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1406 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1407 1408 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1409 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1410 return rc; 1411 } 1412 1413 /** 1414 * smack_inode_removexattr - Smack check on removexattr 1415 * @idmap: idmap of the mount 1416 * @dentry: the object 1417 * @name: name of the attribute 1418 * 1419 * Removing the Smack attribute requires CAP_MAC_ADMIN 1420 * 1421 * Returns 0 if access is permitted, an error code otherwise 1422 */ 1423 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1424 struct dentry *dentry, const char *name) 1425 { 1426 struct inode_smack *isp; 1427 struct smk_audit_info ad; 1428 int rc = 0; 1429 1430 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1431 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1432 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1433 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1434 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1435 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1436 if (!smack_privileged(CAP_MAC_ADMIN)) 1437 rc = -EPERM; 1438 } else 1439 rc = cap_inode_removexattr(idmap, dentry, name); 1440 1441 if (rc != 0) 1442 return rc; 1443 1444 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1445 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1446 1447 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1448 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1449 if (rc != 0) 1450 return rc; 1451 1452 isp = smack_inode(d_backing_inode(dentry)); 1453 /* 1454 * Don't do anything special for these. 1455 * XATTR_NAME_SMACKIPIN 1456 * XATTR_NAME_SMACKIPOUT 1457 */ 1458 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1459 struct super_block *sbp = dentry->d_sb; 1460 struct superblock_smack *sbsp = smack_superblock(sbp); 1461 1462 isp->smk_inode = sbsp->smk_default; 1463 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1464 isp->smk_task = NULL; 1465 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1466 isp->smk_mmap = NULL; 1467 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1468 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1469 1470 return 0; 1471 } 1472 1473 /** 1474 * smack_inode_set_acl - Smack check for setting posix acls 1475 * @idmap: idmap of the mnt this request came from 1476 * @dentry: the object 1477 * @acl_name: name of the posix acl 1478 * @kacl: the posix acls 1479 * 1480 * Returns 0 if access is permitted, an error code otherwise 1481 */ 1482 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1483 struct dentry *dentry, const char *acl_name, 1484 struct posix_acl *kacl) 1485 { 1486 struct smk_audit_info ad; 1487 int rc; 1488 1489 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1490 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1491 1492 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1493 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1494 return rc; 1495 } 1496 1497 /** 1498 * smack_inode_get_acl - Smack check for getting posix acls 1499 * @idmap: idmap of the mnt this request came from 1500 * @dentry: the object 1501 * @acl_name: name of the posix acl 1502 * 1503 * Returns 0 if access is permitted, an error code otherwise 1504 */ 1505 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1506 struct dentry *dentry, const char *acl_name) 1507 { 1508 struct smk_audit_info ad; 1509 int rc; 1510 1511 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1512 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1513 1514 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1515 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1516 return rc; 1517 } 1518 1519 /** 1520 * smack_inode_remove_acl - Smack check for getting posix acls 1521 * @idmap: idmap of the mnt this request came from 1522 * @dentry: the object 1523 * @acl_name: name of the posix acl 1524 * 1525 * Returns 0 if access is permitted, an error code otherwise 1526 */ 1527 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1528 struct dentry *dentry, const char *acl_name) 1529 { 1530 struct smk_audit_info ad; 1531 int rc; 1532 1533 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1534 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1535 1536 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1537 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1538 return rc; 1539 } 1540 1541 /** 1542 * smack_inode_getsecurity - get smack xattrs 1543 * @idmap: idmap of the mount 1544 * @inode: the object 1545 * @name: attribute name 1546 * @buffer: where to put the result 1547 * @alloc: duplicate memory 1548 * 1549 * Returns the size of the attribute or an error code 1550 */ 1551 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1552 struct inode *inode, const char *name, 1553 void **buffer, bool alloc) 1554 { 1555 struct socket_smack *ssp; 1556 struct socket *sock; 1557 struct super_block *sbp; 1558 struct inode *ip = inode; 1559 struct smack_known *isp; 1560 struct inode_smack *ispp; 1561 size_t label_len; 1562 char *label = NULL; 1563 1564 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1565 isp = smk_of_inode(inode); 1566 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1567 ispp = smack_inode(inode); 1568 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1569 label = TRANS_TRUE; 1570 else 1571 label = ""; 1572 } else { 1573 /* 1574 * The rest of the Smack xattrs are only on sockets. 1575 */ 1576 sbp = ip->i_sb; 1577 if (sbp->s_magic != SOCKFS_MAGIC) 1578 return -EOPNOTSUPP; 1579 1580 sock = SOCKET_I(ip); 1581 if (sock == NULL || sock->sk == NULL) 1582 return -EOPNOTSUPP; 1583 1584 ssp = sock->sk->sk_security; 1585 1586 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1587 isp = ssp->smk_in; 1588 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1589 isp = ssp->smk_out; 1590 else 1591 return -EOPNOTSUPP; 1592 } 1593 1594 if (!label) 1595 label = isp->smk_known; 1596 1597 label_len = strlen(label); 1598 1599 if (alloc) { 1600 *buffer = kstrdup(label, GFP_KERNEL); 1601 if (*buffer == NULL) 1602 return -ENOMEM; 1603 } 1604 1605 return label_len; 1606 } 1607 1608 1609 /** 1610 * smack_inode_listsecurity - list the Smack attributes 1611 * @inode: the object 1612 * @buffer: where they go 1613 * @buffer_size: size of buffer 1614 */ 1615 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1616 size_t buffer_size) 1617 { 1618 int len = sizeof(XATTR_NAME_SMACK); 1619 1620 if (buffer != NULL && len <= buffer_size) 1621 memcpy(buffer, XATTR_NAME_SMACK, len); 1622 1623 return len; 1624 } 1625 1626 /** 1627 * smack_inode_getsecid - Extract inode's security id 1628 * @inode: inode to extract the info from 1629 * @secid: where result will be saved 1630 */ 1631 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1632 { 1633 struct smack_known *skp = smk_of_inode(inode); 1634 1635 *secid = skp->smk_secid; 1636 } 1637 1638 /* 1639 * File Hooks 1640 */ 1641 1642 /* 1643 * There is no smack_file_permission hook 1644 * 1645 * Should access checks be done on each read or write? 1646 * UNICOS and SELinux say yes. 1647 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1648 * 1649 * I'll say no for now. Smack does not do the frequent 1650 * label changing that SELinux does. 1651 */ 1652 1653 /** 1654 * smack_file_alloc_security - assign a file security blob 1655 * @file: the object 1656 * 1657 * The security blob for a file is a pointer to the master 1658 * label list, so no allocation is done. 1659 * 1660 * f_security is the owner security information. It 1661 * isn't used on file access checks, it's for send_sigio. 1662 * 1663 * Returns 0 1664 */ 1665 static int smack_file_alloc_security(struct file *file) 1666 { 1667 struct smack_known **blob = smack_file(file); 1668 1669 *blob = smk_of_current(); 1670 return 0; 1671 } 1672 1673 /** 1674 * smack_file_ioctl - Smack check on ioctls 1675 * @file: the object 1676 * @cmd: what to do 1677 * @arg: unused 1678 * 1679 * Relies heavily on the correct use of the ioctl command conventions. 1680 * 1681 * Returns 0 if allowed, error code otherwise 1682 */ 1683 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1684 unsigned long arg) 1685 { 1686 int rc = 0; 1687 struct smk_audit_info ad; 1688 struct inode *inode = file_inode(file); 1689 1690 if (unlikely(IS_PRIVATE(inode))) 1691 return 0; 1692 1693 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1694 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1695 1696 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1697 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1698 rc = smk_bu_file(file, MAY_WRITE, rc); 1699 } 1700 1701 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1702 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1703 rc = smk_bu_file(file, MAY_READ, rc); 1704 } 1705 1706 return rc; 1707 } 1708 1709 /** 1710 * smack_file_lock - Smack check on file locking 1711 * @file: the object 1712 * @cmd: unused 1713 * 1714 * Returns 0 if current has lock access, error code otherwise 1715 */ 1716 static int smack_file_lock(struct file *file, unsigned int cmd) 1717 { 1718 struct smk_audit_info ad; 1719 int rc; 1720 struct inode *inode = file_inode(file); 1721 1722 if (unlikely(IS_PRIVATE(inode))) 1723 return 0; 1724 1725 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1726 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1727 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1728 rc = smk_bu_file(file, MAY_LOCK, rc); 1729 return rc; 1730 } 1731 1732 /** 1733 * smack_file_fcntl - Smack check on fcntl 1734 * @file: the object 1735 * @cmd: what action to check 1736 * @arg: unused 1737 * 1738 * Generally these operations are harmless. 1739 * File locking operations present an obvious mechanism 1740 * for passing information, so they require write access. 1741 * 1742 * Returns 0 if current has access, error code otherwise 1743 */ 1744 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1745 unsigned long arg) 1746 { 1747 struct smk_audit_info ad; 1748 int rc = 0; 1749 struct inode *inode = file_inode(file); 1750 1751 if (unlikely(IS_PRIVATE(inode))) 1752 return 0; 1753 1754 switch (cmd) { 1755 case F_GETLK: 1756 break; 1757 case F_SETLK: 1758 case F_SETLKW: 1759 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1760 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1761 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1762 rc = smk_bu_file(file, MAY_LOCK, rc); 1763 break; 1764 case F_SETOWN: 1765 case F_SETSIG: 1766 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1767 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1768 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1769 rc = smk_bu_file(file, MAY_WRITE, rc); 1770 break; 1771 default: 1772 break; 1773 } 1774 1775 return rc; 1776 } 1777 1778 /** 1779 * smack_mmap_file - Check permissions for a mmap operation. 1780 * @file: contains the file structure for file to map (may be NULL). 1781 * @reqprot: contains the protection requested by the application. 1782 * @prot: contains the protection that will be applied by the kernel. 1783 * @flags: contains the operational flags. 1784 * 1785 * The @file may be NULL, e.g. if mapping anonymous memory. 1786 * 1787 * Return 0 if permission is granted. 1788 */ 1789 static int smack_mmap_file(struct file *file, 1790 unsigned long reqprot, unsigned long prot, 1791 unsigned long flags) 1792 { 1793 struct smack_known *skp; 1794 struct smack_known *mkp; 1795 struct smack_rule *srp; 1796 struct task_smack *tsp; 1797 struct smack_known *okp; 1798 struct inode_smack *isp; 1799 struct superblock_smack *sbsp; 1800 int may; 1801 int mmay; 1802 int tmay; 1803 int rc; 1804 1805 if (file == NULL) 1806 return 0; 1807 1808 if (unlikely(IS_PRIVATE(file_inode(file)))) 1809 return 0; 1810 1811 isp = smack_inode(file_inode(file)); 1812 if (isp->smk_mmap == NULL) 1813 return 0; 1814 sbsp = smack_superblock(file_inode(file)->i_sb); 1815 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1816 isp->smk_mmap != sbsp->smk_root) 1817 return -EACCES; 1818 mkp = isp->smk_mmap; 1819 1820 tsp = smack_cred(current_cred()); 1821 skp = smk_of_current(); 1822 rc = 0; 1823 1824 rcu_read_lock(); 1825 /* 1826 * For each Smack rule associated with the subject 1827 * label verify that the SMACK64MMAP also has access 1828 * to that rule's object label. 1829 */ 1830 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1831 okp = srp->smk_object; 1832 /* 1833 * Matching labels always allows access. 1834 */ 1835 if (mkp->smk_known == okp->smk_known) 1836 continue; 1837 /* 1838 * If there is a matching local rule take 1839 * that into account as well. 1840 */ 1841 may = smk_access_entry(srp->smk_subject->smk_known, 1842 okp->smk_known, 1843 &tsp->smk_rules); 1844 if (may == -ENOENT) 1845 may = srp->smk_access; 1846 else 1847 may &= srp->smk_access; 1848 /* 1849 * If may is zero the SMACK64MMAP subject can't 1850 * possibly have less access. 1851 */ 1852 if (may == 0) 1853 continue; 1854 1855 /* 1856 * Fetch the global list entry. 1857 * If there isn't one a SMACK64MMAP subject 1858 * can't have as much access as current. 1859 */ 1860 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1861 &mkp->smk_rules); 1862 if (mmay == -ENOENT) { 1863 rc = -EACCES; 1864 break; 1865 } 1866 /* 1867 * If there is a local entry it modifies the 1868 * potential access, too. 1869 */ 1870 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1871 &tsp->smk_rules); 1872 if (tmay != -ENOENT) 1873 mmay &= tmay; 1874 1875 /* 1876 * If there is any access available to current that is 1877 * not available to a SMACK64MMAP subject 1878 * deny access. 1879 */ 1880 if ((may | mmay) != mmay) { 1881 rc = -EACCES; 1882 break; 1883 } 1884 } 1885 1886 rcu_read_unlock(); 1887 1888 return rc; 1889 } 1890 1891 /** 1892 * smack_file_set_fowner - set the file security blob value 1893 * @file: object in question 1894 * 1895 */ 1896 static void smack_file_set_fowner(struct file *file) 1897 { 1898 struct smack_known **blob = smack_file(file); 1899 1900 *blob = smk_of_current(); 1901 } 1902 1903 /** 1904 * smack_file_send_sigiotask - Smack on sigio 1905 * @tsk: The target task 1906 * @fown: the object the signal come from 1907 * @signum: unused 1908 * 1909 * Allow a privileged task to get signals even if it shouldn't 1910 * 1911 * Returns 0 if a subject with the object's smack could 1912 * write to the task, an error code otherwise. 1913 */ 1914 static int smack_file_send_sigiotask(struct task_struct *tsk, 1915 struct fown_struct *fown, int signum) 1916 { 1917 struct smack_known **blob; 1918 struct smack_known *skp; 1919 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1920 const struct cred *tcred; 1921 struct file *file; 1922 int rc; 1923 struct smk_audit_info ad; 1924 1925 /* 1926 * struct fown_struct is never outside the context of a struct file 1927 */ 1928 file = container_of(fown, struct file, f_owner); 1929 1930 /* we don't log here as rc can be overriden */ 1931 blob = smack_file(file); 1932 skp = *blob; 1933 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1934 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1935 1936 rcu_read_lock(); 1937 tcred = __task_cred(tsk); 1938 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1939 rc = 0; 1940 rcu_read_unlock(); 1941 1942 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1943 smk_ad_setfield_u_tsk(&ad, tsk); 1944 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1945 return rc; 1946 } 1947 1948 /** 1949 * smack_file_receive - Smack file receive check 1950 * @file: the object 1951 * 1952 * Returns 0 if current has access, error code otherwise 1953 */ 1954 static int smack_file_receive(struct file *file) 1955 { 1956 int rc; 1957 int may = 0; 1958 struct smk_audit_info ad; 1959 struct inode *inode = file_inode(file); 1960 struct socket *sock; 1961 struct task_smack *tsp; 1962 struct socket_smack *ssp; 1963 1964 if (unlikely(IS_PRIVATE(inode))) 1965 return 0; 1966 1967 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1968 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1969 1970 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1971 sock = SOCKET_I(inode); 1972 ssp = sock->sk->sk_security; 1973 tsp = smack_cred(current_cred()); 1974 /* 1975 * If the receiving process can't write to the 1976 * passed socket or if the passed socket can't 1977 * write to the receiving process don't accept 1978 * the passed socket. 1979 */ 1980 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1981 rc = smk_bu_file(file, may, rc); 1982 if (rc < 0) 1983 return rc; 1984 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1985 rc = smk_bu_file(file, may, rc); 1986 return rc; 1987 } 1988 /* 1989 * This code relies on bitmasks. 1990 */ 1991 if (file->f_mode & FMODE_READ) 1992 may = MAY_READ; 1993 if (file->f_mode & FMODE_WRITE) 1994 may |= MAY_WRITE; 1995 1996 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1997 rc = smk_bu_file(file, may, rc); 1998 return rc; 1999 } 2000 2001 /** 2002 * smack_file_open - Smack dentry open processing 2003 * @file: the object 2004 * 2005 * Set the security blob in the file structure. 2006 * Allow the open only if the task has read access. There are 2007 * many read operations (e.g. fstat) that you can do with an 2008 * fd even if you have the file open write-only. 2009 * 2010 * Returns 0 if current has access, error code otherwise 2011 */ 2012 static int smack_file_open(struct file *file) 2013 { 2014 struct task_smack *tsp = smack_cred(file->f_cred); 2015 struct inode *inode = file_inode(file); 2016 struct smk_audit_info ad; 2017 int rc; 2018 2019 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2020 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2021 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2022 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2023 2024 return rc; 2025 } 2026 2027 /* 2028 * Task hooks 2029 */ 2030 2031 /** 2032 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2033 * @cred: the new credentials 2034 * @gfp: the atomicity of any memory allocations 2035 * 2036 * Prepare a blank set of credentials for modification. This must allocate all 2037 * the memory the LSM module might require such that cred_transfer() can 2038 * complete without error. 2039 */ 2040 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2041 { 2042 init_task_smack(smack_cred(cred), NULL, NULL); 2043 return 0; 2044 } 2045 2046 2047 /** 2048 * smack_cred_free - "free" task-level security credentials 2049 * @cred: the credentials in question 2050 * 2051 */ 2052 static void smack_cred_free(struct cred *cred) 2053 { 2054 struct task_smack *tsp = smack_cred(cred); 2055 struct smack_rule *rp; 2056 struct list_head *l; 2057 struct list_head *n; 2058 2059 smk_destroy_label_list(&tsp->smk_relabel); 2060 2061 list_for_each_safe(l, n, &tsp->smk_rules) { 2062 rp = list_entry(l, struct smack_rule, list); 2063 list_del(&rp->list); 2064 kmem_cache_free(smack_rule_cache, rp); 2065 } 2066 } 2067 2068 /** 2069 * smack_cred_prepare - prepare new set of credentials for modification 2070 * @new: the new credentials 2071 * @old: the original credentials 2072 * @gfp: the atomicity of any memory allocations 2073 * 2074 * Prepare a new set of credentials for modification. 2075 */ 2076 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2077 gfp_t gfp) 2078 { 2079 struct task_smack *old_tsp = smack_cred(old); 2080 struct task_smack *new_tsp = smack_cred(new); 2081 int rc; 2082 2083 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2084 2085 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2086 if (rc != 0) 2087 return rc; 2088 2089 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2090 gfp); 2091 return rc; 2092 } 2093 2094 /** 2095 * smack_cred_transfer - Transfer the old credentials to the new credentials 2096 * @new: the new credentials 2097 * @old: the original credentials 2098 * 2099 * Fill in a set of blank credentials from another set of credentials. 2100 */ 2101 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2102 { 2103 struct task_smack *old_tsp = smack_cred(old); 2104 struct task_smack *new_tsp = smack_cred(new); 2105 2106 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2107 } 2108 2109 /** 2110 * smack_cred_getsecid - get the secid corresponding to a creds structure 2111 * @cred: the object creds 2112 * @secid: where to put the result 2113 * 2114 * Sets the secid to contain a u32 version of the smack label. 2115 */ 2116 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2117 { 2118 struct smack_known *skp; 2119 2120 rcu_read_lock(); 2121 skp = smk_of_task(smack_cred(cred)); 2122 *secid = skp->smk_secid; 2123 rcu_read_unlock(); 2124 } 2125 2126 /** 2127 * smack_kernel_act_as - Set the subjective context in a set of credentials 2128 * @new: points to the set of credentials to be modified. 2129 * @secid: specifies the security ID to be set 2130 * 2131 * Set the security data for a kernel service. 2132 */ 2133 static int smack_kernel_act_as(struct cred *new, u32 secid) 2134 { 2135 struct task_smack *new_tsp = smack_cred(new); 2136 2137 new_tsp->smk_task = smack_from_secid(secid); 2138 return 0; 2139 } 2140 2141 /** 2142 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2143 * @new: points to the set of credentials to be modified 2144 * @inode: points to the inode to use as a reference 2145 * 2146 * Set the file creation context in a set of credentials to the same 2147 * as the objective context of the specified inode 2148 */ 2149 static int smack_kernel_create_files_as(struct cred *new, 2150 struct inode *inode) 2151 { 2152 struct inode_smack *isp = smack_inode(inode); 2153 struct task_smack *tsp = smack_cred(new); 2154 2155 tsp->smk_forked = isp->smk_inode; 2156 tsp->smk_task = tsp->smk_forked; 2157 return 0; 2158 } 2159 2160 /** 2161 * smk_curacc_on_task - helper to log task related access 2162 * @p: the task object 2163 * @access: the access requested 2164 * @caller: name of the calling function for audit 2165 * 2166 * Return 0 if access is permitted 2167 */ 2168 static int smk_curacc_on_task(struct task_struct *p, int access, 2169 const char *caller) 2170 { 2171 struct smk_audit_info ad; 2172 struct smack_known *skp = smk_of_task_struct_obj(p); 2173 int rc; 2174 2175 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2176 smk_ad_setfield_u_tsk(&ad, p); 2177 rc = smk_curacc(skp, access, &ad); 2178 rc = smk_bu_task(p, access, rc); 2179 return rc; 2180 } 2181 2182 /** 2183 * smack_task_setpgid - Smack check on setting pgid 2184 * @p: the task object 2185 * @pgid: unused 2186 * 2187 * Return 0 if write access is permitted 2188 */ 2189 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2190 { 2191 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2192 } 2193 2194 /** 2195 * smack_task_getpgid - Smack access check for getpgid 2196 * @p: the object task 2197 * 2198 * Returns 0 if current can read the object task, error code otherwise 2199 */ 2200 static int smack_task_getpgid(struct task_struct *p) 2201 { 2202 return smk_curacc_on_task(p, MAY_READ, __func__); 2203 } 2204 2205 /** 2206 * smack_task_getsid - Smack access check for getsid 2207 * @p: the object task 2208 * 2209 * Returns 0 if current can read the object task, error code otherwise 2210 */ 2211 static int smack_task_getsid(struct task_struct *p) 2212 { 2213 return smk_curacc_on_task(p, MAY_READ, __func__); 2214 } 2215 2216 /** 2217 * smack_current_getsecid_subj - get the subjective secid of the current task 2218 * @secid: where to put the result 2219 * 2220 * Sets the secid to contain a u32 version of the task's subjective smack label. 2221 */ 2222 static void smack_current_getsecid_subj(u32 *secid) 2223 { 2224 struct smack_known *skp = smk_of_current(); 2225 2226 *secid = skp->smk_secid; 2227 } 2228 2229 /** 2230 * smack_task_getsecid_obj - get the objective secid of the task 2231 * @p: the task 2232 * @secid: where to put the result 2233 * 2234 * Sets the secid to contain a u32 version of the task's objective smack label. 2235 */ 2236 static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) 2237 { 2238 struct smack_known *skp = smk_of_task_struct_obj(p); 2239 2240 *secid = skp->smk_secid; 2241 } 2242 2243 /** 2244 * smack_task_setnice - Smack check on setting nice 2245 * @p: the task object 2246 * @nice: unused 2247 * 2248 * Return 0 if write access is permitted 2249 */ 2250 static int smack_task_setnice(struct task_struct *p, int nice) 2251 { 2252 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2253 } 2254 2255 /** 2256 * smack_task_setioprio - Smack check on setting ioprio 2257 * @p: the task object 2258 * @ioprio: unused 2259 * 2260 * Return 0 if write access is permitted 2261 */ 2262 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2263 { 2264 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2265 } 2266 2267 /** 2268 * smack_task_getioprio - Smack check on reading ioprio 2269 * @p: the task object 2270 * 2271 * Return 0 if read access is permitted 2272 */ 2273 static int smack_task_getioprio(struct task_struct *p) 2274 { 2275 return smk_curacc_on_task(p, MAY_READ, __func__); 2276 } 2277 2278 /** 2279 * smack_task_setscheduler - Smack check on setting scheduler 2280 * @p: the task object 2281 * 2282 * Return 0 if read access is permitted 2283 */ 2284 static int smack_task_setscheduler(struct task_struct *p) 2285 { 2286 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2287 } 2288 2289 /** 2290 * smack_task_getscheduler - Smack check on reading scheduler 2291 * @p: the task object 2292 * 2293 * Return 0 if read access is permitted 2294 */ 2295 static int smack_task_getscheduler(struct task_struct *p) 2296 { 2297 return smk_curacc_on_task(p, MAY_READ, __func__); 2298 } 2299 2300 /** 2301 * smack_task_movememory - Smack check on moving memory 2302 * @p: the task object 2303 * 2304 * Return 0 if write access is permitted 2305 */ 2306 static int smack_task_movememory(struct task_struct *p) 2307 { 2308 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2309 } 2310 2311 /** 2312 * smack_task_kill - Smack check on signal delivery 2313 * @p: the task object 2314 * @info: unused 2315 * @sig: unused 2316 * @cred: identifies the cred to use in lieu of current's 2317 * 2318 * Return 0 if write access is permitted 2319 * 2320 */ 2321 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2322 int sig, const struct cred *cred) 2323 { 2324 struct smk_audit_info ad; 2325 struct smack_known *skp; 2326 struct smack_known *tkp = smk_of_task_struct_obj(p); 2327 int rc; 2328 2329 if (!sig) 2330 return 0; /* null signal; existence test */ 2331 2332 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2333 smk_ad_setfield_u_tsk(&ad, p); 2334 /* 2335 * Sending a signal requires that the sender 2336 * can write the receiver. 2337 */ 2338 if (cred == NULL) { 2339 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2340 rc = smk_bu_task(p, MAY_DELIVER, rc); 2341 return rc; 2342 } 2343 /* 2344 * If the cred isn't NULL we're dealing with some USB IO 2345 * specific behavior. This is not clean. For one thing 2346 * we can't take privilege into account. 2347 */ 2348 skp = smk_of_task(smack_cred(cred)); 2349 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2350 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2351 return rc; 2352 } 2353 2354 /** 2355 * smack_task_to_inode - copy task smack into the inode blob 2356 * @p: task to copy from 2357 * @inode: inode to copy to 2358 * 2359 * Sets the smack pointer in the inode security blob 2360 */ 2361 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2362 { 2363 struct inode_smack *isp = smack_inode(inode); 2364 struct smack_known *skp = smk_of_task_struct_obj(p); 2365 2366 isp->smk_inode = skp; 2367 isp->smk_flags |= SMK_INODE_INSTANT; 2368 } 2369 2370 /* 2371 * Socket hooks. 2372 */ 2373 2374 /** 2375 * smack_sk_alloc_security - Allocate a socket blob 2376 * @sk: the socket 2377 * @family: unused 2378 * @gfp_flags: memory allocation flags 2379 * 2380 * Assign Smack pointers to current 2381 * 2382 * Returns 0 on success, -ENOMEM is there's no memory 2383 */ 2384 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2385 { 2386 struct smack_known *skp = smk_of_current(); 2387 struct socket_smack *ssp; 2388 2389 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2390 if (ssp == NULL) 2391 return -ENOMEM; 2392 2393 /* 2394 * Sockets created by kernel threads receive web label. 2395 */ 2396 if (unlikely(current->flags & PF_KTHREAD)) { 2397 ssp->smk_in = &smack_known_web; 2398 ssp->smk_out = &smack_known_web; 2399 } else { 2400 ssp->smk_in = skp; 2401 ssp->smk_out = skp; 2402 } 2403 ssp->smk_packet = NULL; 2404 2405 sk->sk_security = ssp; 2406 2407 return 0; 2408 } 2409 2410 /** 2411 * smack_sk_free_security - Free a socket blob 2412 * @sk: the socket 2413 * 2414 * Clears the blob pointer 2415 */ 2416 static void smack_sk_free_security(struct sock *sk) 2417 { 2418 #ifdef SMACK_IPV6_PORT_LABELING 2419 struct smk_port_label *spp; 2420 2421 if (sk->sk_family == PF_INET6) { 2422 rcu_read_lock(); 2423 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2424 if (spp->smk_sock != sk) 2425 continue; 2426 spp->smk_can_reuse = 1; 2427 break; 2428 } 2429 rcu_read_unlock(); 2430 } 2431 #endif 2432 kfree(sk->sk_security); 2433 } 2434 2435 /** 2436 * smack_sk_clone_security - Copy security context 2437 * @sk: the old socket 2438 * @newsk: the new socket 2439 * 2440 * Copy the security context of the old socket pointer to the cloned 2441 */ 2442 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2443 { 2444 struct socket_smack *ssp_old = sk->sk_security; 2445 struct socket_smack *ssp_new = newsk->sk_security; 2446 2447 *ssp_new = *ssp_old; 2448 } 2449 2450 /** 2451 * smack_ipv4host_label - check host based restrictions 2452 * @sip: the object end 2453 * 2454 * looks for host based access restrictions 2455 * 2456 * This version will only be appropriate for really small sets of single label 2457 * hosts. The caller is responsible for ensuring that the RCU read lock is 2458 * taken before calling this function. 2459 * 2460 * Returns the label of the far end or NULL if it's not special. 2461 */ 2462 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2463 { 2464 struct smk_net4addr *snp; 2465 struct in_addr *siap = &sip->sin_addr; 2466 2467 if (siap->s_addr == 0) 2468 return NULL; 2469 2470 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2471 /* 2472 * we break after finding the first match because 2473 * the list is sorted from longest to shortest mask 2474 * so we have found the most specific match 2475 */ 2476 if (snp->smk_host.s_addr == 2477 (siap->s_addr & snp->smk_mask.s_addr)) 2478 return snp->smk_label; 2479 2480 return NULL; 2481 } 2482 2483 /* 2484 * smk_ipv6_localhost - Check for local ipv6 host address 2485 * @sip: the address 2486 * 2487 * Returns boolean true if this is the localhost address 2488 */ 2489 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2490 { 2491 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2492 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2493 2494 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2495 ntohs(be16p[7]) == 1) 2496 return true; 2497 return false; 2498 } 2499 2500 /** 2501 * smack_ipv6host_label - check host based restrictions 2502 * @sip: the object end 2503 * 2504 * looks for host based access restrictions 2505 * 2506 * This version will only be appropriate for really small sets of single label 2507 * hosts. The caller is responsible for ensuring that the RCU read lock is 2508 * taken before calling this function. 2509 * 2510 * Returns the label of the far end or NULL if it's not special. 2511 */ 2512 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2513 { 2514 struct smk_net6addr *snp; 2515 struct in6_addr *sap = &sip->sin6_addr; 2516 int i; 2517 int found = 0; 2518 2519 /* 2520 * It's local. Don't look for a host label. 2521 */ 2522 if (smk_ipv6_localhost(sip)) 2523 return NULL; 2524 2525 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2526 /* 2527 * If the label is NULL the entry has 2528 * been renounced. Ignore it. 2529 */ 2530 if (snp->smk_label == NULL) 2531 continue; 2532 /* 2533 * we break after finding the first match because 2534 * the list is sorted from longest to shortest mask 2535 * so we have found the most specific match 2536 */ 2537 for (found = 1, i = 0; i < 8; i++) { 2538 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2539 snp->smk_host.s6_addr16[i]) { 2540 found = 0; 2541 break; 2542 } 2543 } 2544 if (found) 2545 return snp->smk_label; 2546 } 2547 2548 return NULL; 2549 } 2550 2551 /** 2552 * smack_netlbl_add - Set the secattr on a socket 2553 * @sk: the socket 2554 * 2555 * Attach the outbound smack value (smk_out) to the socket. 2556 * 2557 * Returns 0 on success or an error code 2558 */ 2559 static int smack_netlbl_add(struct sock *sk) 2560 { 2561 struct socket_smack *ssp = sk->sk_security; 2562 struct smack_known *skp = ssp->smk_out; 2563 int rc; 2564 2565 local_bh_disable(); 2566 bh_lock_sock_nested(sk); 2567 2568 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2569 netlbl_sk_lock_check(sk)); 2570 switch (rc) { 2571 case 0: 2572 ssp->smk_state = SMK_NETLBL_LABELED; 2573 break; 2574 case -EDESTADDRREQ: 2575 ssp->smk_state = SMK_NETLBL_REQSKB; 2576 rc = 0; 2577 break; 2578 } 2579 2580 bh_unlock_sock(sk); 2581 local_bh_enable(); 2582 2583 return rc; 2584 } 2585 2586 /** 2587 * smack_netlbl_delete - Remove the secattr from a socket 2588 * @sk: the socket 2589 * 2590 * Remove the outbound smack value from a socket 2591 */ 2592 static void smack_netlbl_delete(struct sock *sk) 2593 { 2594 struct socket_smack *ssp = sk->sk_security; 2595 2596 /* 2597 * Take the label off the socket if one is set. 2598 */ 2599 if (ssp->smk_state != SMK_NETLBL_LABELED) 2600 return; 2601 2602 local_bh_disable(); 2603 bh_lock_sock_nested(sk); 2604 netlbl_sock_delattr(sk); 2605 bh_unlock_sock(sk); 2606 local_bh_enable(); 2607 ssp->smk_state = SMK_NETLBL_UNLABELED; 2608 } 2609 2610 /** 2611 * smk_ipv4_check - Perform IPv4 host access checks 2612 * @sk: the socket 2613 * @sap: the destination address 2614 * 2615 * Set the correct secattr for the given socket based on the destination 2616 * address and perform any outbound access checks needed. 2617 * 2618 * Returns 0 on success or an error code. 2619 * 2620 */ 2621 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2622 { 2623 struct smack_known *skp; 2624 int rc = 0; 2625 struct smack_known *hkp; 2626 struct socket_smack *ssp = sk->sk_security; 2627 struct smk_audit_info ad; 2628 2629 rcu_read_lock(); 2630 hkp = smack_ipv4host_label(sap); 2631 if (hkp != NULL) { 2632 #ifdef CONFIG_AUDIT 2633 struct lsm_network_audit net; 2634 2635 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2636 ad.a.u.net->family = sap->sin_family; 2637 ad.a.u.net->dport = sap->sin_port; 2638 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2639 #endif 2640 skp = ssp->smk_out; 2641 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2642 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2643 /* 2644 * Clear the socket netlabel if it's set. 2645 */ 2646 if (!rc) 2647 smack_netlbl_delete(sk); 2648 } 2649 rcu_read_unlock(); 2650 2651 return rc; 2652 } 2653 2654 /** 2655 * smk_ipv6_check - check Smack access 2656 * @subject: subject Smack label 2657 * @object: object Smack label 2658 * @address: address 2659 * @act: the action being taken 2660 * 2661 * Check an IPv6 access 2662 */ 2663 static int smk_ipv6_check(struct smack_known *subject, 2664 struct smack_known *object, 2665 struct sockaddr_in6 *address, int act) 2666 { 2667 #ifdef CONFIG_AUDIT 2668 struct lsm_network_audit net; 2669 #endif 2670 struct smk_audit_info ad; 2671 int rc; 2672 2673 #ifdef CONFIG_AUDIT 2674 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2675 ad.a.u.net->family = PF_INET6; 2676 ad.a.u.net->dport = address->sin6_port; 2677 if (act == SMK_RECEIVING) 2678 ad.a.u.net->v6info.saddr = address->sin6_addr; 2679 else 2680 ad.a.u.net->v6info.daddr = address->sin6_addr; 2681 #endif 2682 rc = smk_access(subject, object, MAY_WRITE, &ad); 2683 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2684 return rc; 2685 } 2686 2687 #ifdef SMACK_IPV6_PORT_LABELING 2688 /** 2689 * smk_ipv6_port_label - Smack port access table management 2690 * @sock: socket 2691 * @address: address 2692 * 2693 * Create or update the port list entry 2694 */ 2695 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2696 { 2697 struct sock *sk = sock->sk; 2698 struct sockaddr_in6 *addr6; 2699 struct socket_smack *ssp = sock->sk->sk_security; 2700 struct smk_port_label *spp; 2701 unsigned short port = 0; 2702 2703 if (address == NULL) { 2704 /* 2705 * This operation is changing the Smack information 2706 * on the bound socket. Take the changes to the port 2707 * as well. 2708 */ 2709 rcu_read_lock(); 2710 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2711 if (sk != spp->smk_sock) 2712 continue; 2713 spp->smk_in = ssp->smk_in; 2714 spp->smk_out = ssp->smk_out; 2715 rcu_read_unlock(); 2716 return; 2717 } 2718 /* 2719 * A NULL address is only used for updating existing 2720 * bound entries. If there isn't one, it's OK. 2721 */ 2722 rcu_read_unlock(); 2723 return; 2724 } 2725 2726 addr6 = (struct sockaddr_in6 *)address; 2727 port = ntohs(addr6->sin6_port); 2728 /* 2729 * This is a special case that is safely ignored. 2730 */ 2731 if (port == 0) 2732 return; 2733 2734 /* 2735 * Look for an existing port list entry. 2736 * This is an indication that a port is getting reused. 2737 */ 2738 rcu_read_lock(); 2739 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2740 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2741 continue; 2742 if (spp->smk_can_reuse != 1) { 2743 rcu_read_unlock(); 2744 return; 2745 } 2746 spp->smk_port = port; 2747 spp->smk_sock = sk; 2748 spp->smk_in = ssp->smk_in; 2749 spp->smk_out = ssp->smk_out; 2750 spp->smk_can_reuse = 0; 2751 rcu_read_unlock(); 2752 return; 2753 } 2754 rcu_read_unlock(); 2755 /* 2756 * A new port entry is required. 2757 */ 2758 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2759 if (spp == NULL) 2760 return; 2761 2762 spp->smk_port = port; 2763 spp->smk_sock = sk; 2764 spp->smk_in = ssp->smk_in; 2765 spp->smk_out = ssp->smk_out; 2766 spp->smk_sock_type = sock->type; 2767 spp->smk_can_reuse = 0; 2768 2769 mutex_lock(&smack_ipv6_lock); 2770 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2771 mutex_unlock(&smack_ipv6_lock); 2772 return; 2773 } 2774 2775 /** 2776 * smk_ipv6_port_check - check Smack port access 2777 * @sk: socket 2778 * @address: address 2779 * @act: the action being taken 2780 * 2781 * Create or update the port list entry 2782 */ 2783 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2784 int act) 2785 { 2786 struct smk_port_label *spp; 2787 struct socket_smack *ssp = sk->sk_security; 2788 struct smack_known *skp = NULL; 2789 unsigned short port; 2790 struct smack_known *object; 2791 2792 if (act == SMK_RECEIVING) { 2793 skp = smack_ipv6host_label(address); 2794 object = ssp->smk_in; 2795 } else { 2796 skp = ssp->smk_out; 2797 object = smack_ipv6host_label(address); 2798 } 2799 2800 /* 2801 * The other end is a single label host. 2802 */ 2803 if (skp != NULL && object != NULL) 2804 return smk_ipv6_check(skp, object, address, act); 2805 if (skp == NULL) 2806 skp = smack_net_ambient; 2807 if (object == NULL) 2808 object = smack_net_ambient; 2809 2810 /* 2811 * It's remote, so port lookup does no good. 2812 */ 2813 if (!smk_ipv6_localhost(address)) 2814 return smk_ipv6_check(skp, object, address, act); 2815 2816 /* 2817 * It's local so the send check has to have passed. 2818 */ 2819 if (act == SMK_RECEIVING) 2820 return 0; 2821 2822 port = ntohs(address->sin6_port); 2823 rcu_read_lock(); 2824 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2825 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2826 continue; 2827 object = spp->smk_in; 2828 if (act == SMK_CONNECTING) 2829 ssp->smk_packet = spp->smk_out; 2830 break; 2831 } 2832 rcu_read_unlock(); 2833 2834 return smk_ipv6_check(skp, object, address, act); 2835 } 2836 #endif 2837 2838 /** 2839 * smack_inode_setsecurity - set smack xattrs 2840 * @inode: the object 2841 * @name: attribute name 2842 * @value: attribute value 2843 * @size: size of the attribute 2844 * @flags: unused 2845 * 2846 * Sets the named attribute in the appropriate blob 2847 * 2848 * Returns 0 on success, or an error code 2849 */ 2850 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2851 const void *value, size_t size, int flags) 2852 { 2853 struct smack_known *skp; 2854 struct inode_smack *nsp = smack_inode(inode); 2855 struct socket_smack *ssp; 2856 struct socket *sock; 2857 int rc = 0; 2858 2859 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2860 return -EINVAL; 2861 2862 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2863 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2864 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2865 return -EINVAL; 2866 2867 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2868 return 0; 2869 } 2870 2871 skp = smk_import_entry(value, size); 2872 if (IS_ERR(skp)) 2873 return PTR_ERR(skp); 2874 2875 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2876 nsp->smk_inode = skp; 2877 nsp->smk_flags |= SMK_INODE_INSTANT; 2878 return 0; 2879 } 2880 /* 2881 * The rest of the Smack xattrs are only on sockets. 2882 */ 2883 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2884 return -EOPNOTSUPP; 2885 2886 sock = SOCKET_I(inode); 2887 if (sock == NULL || sock->sk == NULL) 2888 return -EOPNOTSUPP; 2889 2890 ssp = sock->sk->sk_security; 2891 2892 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2893 ssp->smk_in = skp; 2894 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2895 ssp->smk_out = skp; 2896 if (sock->sk->sk_family == PF_INET) { 2897 rc = smack_netlbl_add(sock->sk); 2898 if (rc != 0) 2899 printk(KERN_WARNING 2900 "Smack: \"%s\" netlbl error %d.\n", 2901 __func__, -rc); 2902 } 2903 } else 2904 return -EOPNOTSUPP; 2905 2906 #ifdef SMACK_IPV6_PORT_LABELING 2907 if (sock->sk->sk_family == PF_INET6) 2908 smk_ipv6_port_label(sock, NULL); 2909 #endif 2910 2911 return 0; 2912 } 2913 2914 /** 2915 * smack_socket_post_create - finish socket setup 2916 * @sock: the socket 2917 * @family: protocol family 2918 * @type: unused 2919 * @protocol: unused 2920 * @kern: unused 2921 * 2922 * Sets the netlabel information on the socket 2923 * 2924 * Returns 0 on success, and error code otherwise 2925 */ 2926 static int smack_socket_post_create(struct socket *sock, int family, 2927 int type, int protocol, int kern) 2928 { 2929 struct socket_smack *ssp; 2930 2931 if (sock->sk == NULL) 2932 return 0; 2933 2934 /* 2935 * Sockets created by kernel threads receive web label. 2936 */ 2937 if (unlikely(current->flags & PF_KTHREAD)) { 2938 ssp = sock->sk->sk_security; 2939 ssp->smk_in = &smack_known_web; 2940 ssp->smk_out = &smack_known_web; 2941 } 2942 2943 if (family != PF_INET) 2944 return 0; 2945 /* 2946 * Set the outbound netlbl. 2947 */ 2948 return smack_netlbl_add(sock->sk); 2949 } 2950 2951 /** 2952 * smack_socket_socketpair - create socket pair 2953 * @socka: one socket 2954 * @sockb: another socket 2955 * 2956 * Cross reference the peer labels for SO_PEERSEC 2957 * 2958 * Returns 0 2959 */ 2960 static int smack_socket_socketpair(struct socket *socka, 2961 struct socket *sockb) 2962 { 2963 struct socket_smack *asp = socka->sk->sk_security; 2964 struct socket_smack *bsp = sockb->sk->sk_security; 2965 2966 asp->smk_packet = bsp->smk_out; 2967 bsp->smk_packet = asp->smk_out; 2968 2969 return 0; 2970 } 2971 2972 #ifdef SMACK_IPV6_PORT_LABELING 2973 /** 2974 * smack_socket_bind - record port binding information. 2975 * @sock: the socket 2976 * @address: the port address 2977 * @addrlen: size of the address 2978 * 2979 * Records the label bound to a port. 2980 * 2981 * Returns 0 on success, and error code otherwise 2982 */ 2983 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2984 int addrlen) 2985 { 2986 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2987 if (addrlen < SIN6_LEN_RFC2133 || 2988 address->sa_family != AF_INET6) 2989 return -EINVAL; 2990 smk_ipv6_port_label(sock, address); 2991 } 2992 return 0; 2993 } 2994 #endif /* SMACK_IPV6_PORT_LABELING */ 2995 2996 /** 2997 * smack_socket_connect - connect access check 2998 * @sock: the socket 2999 * @sap: the other end 3000 * @addrlen: size of sap 3001 * 3002 * Verifies that a connection may be possible 3003 * 3004 * Returns 0 on success, and error code otherwise 3005 */ 3006 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3007 int addrlen) 3008 { 3009 int rc = 0; 3010 3011 if (sock->sk == NULL) 3012 return 0; 3013 if (sock->sk->sk_family != PF_INET && 3014 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3015 return 0; 3016 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3017 return 0; 3018 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3019 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3020 struct smack_known *rsp = NULL; 3021 3022 if (addrlen < SIN6_LEN_RFC2133) 3023 return 0; 3024 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3025 rsp = smack_ipv6host_label(sip); 3026 if (rsp != NULL) { 3027 struct socket_smack *ssp = sock->sk->sk_security; 3028 3029 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3030 SMK_CONNECTING); 3031 } 3032 #ifdef SMACK_IPV6_PORT_LABELING 3033 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3034 #endif 3035 3036 return rc; 3037 } 3038 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3039 return 0; 3040 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3041 return rc; 3042 } 3043 3044 /** 3045 * smack_flags_to_may - convert S_ to MAY_ values 3046 * @flags: the S_ value 3047 * 3048 * Returns the equivalent MAY_ value 3049 */ 3050 static int smack_flags_to_may(int flags) 3051 { 3052 int may = 0; 3053 3054 if (flags & S_IRUGO) 3055 may |= MAY_READ; 3056 if (flags & S_IWUGO) 3057 may |= MAY_WRITE; 3058 if (flags & S_IXUGO) 3059 may |= MAY_EXEC; 3060 3061 return may; 3062 } 3063 3064 /** 3065 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3066 * @msg: the object 3067 * 3068 * Returns 0 3069 */ 3070 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3071 { 3072 struct smack_known **blob = smack_msg_msg(msg); 3073 3074 *blob = smk_of_current(); 3075 return 0; 3076 } 3077 3078 /** 3079 * smack_of_ipc - the smack pointer for the ipc 3080 * @isp: the object 3081 * 3082 * Returns a pointer to the smack value 3083 */ 3084 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3085 { 3086 struct smack_known **blob = smack_ipc(isp); 3087 3088 return *blob; 3089 } 3090 3091 /** 3092 * smack_ipc_alloc_security - Set the security blob for ipc 3093 * @isp: the object 3094 * 3095 * Returns 0 3096 */ 3097 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3098 { 3099 struct smack_known **blob = smack_ipc(isp); 3100 3101 *blob = smk_of_current(); 3102 return 0; 3103 } 3104 3105 /** 3106 * smk_curacc_shm : check if current has access on shm 3107 * @isp : the object 3108 * @access : access requested 3109 * 3110 * Returns 0 if current has the requested access, error code otherwise 3111 */ 3112 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3113 { 3114 struct smack_known *ssp = smack_of_ipc(isp); 3115 struct smk_audit_info ad; 3116 int rc; 3117 3118 #ifdef CONFIG_AUDIT 3119 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3120 ad.a.u.ipc_id = isp->id; 3121 #endif 3122 rc = smk_curacc(ssp, access, &ad); 3123 rc = smk_bu_current("shm", ssp, access, rc); 3124 return rc; 3125 } 3126 3127 /** 3128 * smack_shm_associate - Smack access check for shm 3129 * @isp: the object 3130 * @shmflg: access requested 3131 * 3132 * Returns 0 if current has the requested access, error code otherwise 3133 */ 3134 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3135 { 3136 int may; 3137 3138 may = smack_flags_to_may(shmflg); 3139 return smk_curacc_shm(isp, may); 3140 } 3141 3142 /** 3143 * smack_shm_shmctl - Smack access check for shm 3144 * @isp: the object 3145 * @cmd: what it wants to do 3146 * 3147 * Returns 0 if current has the requested access, error code otherwise 3148 */ 3149 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3150 { 3151 int may; 3152 3153 switch (cmd) { 3154 case IPC_STAT: 3155 case SHM_STAT: 3156 case SHM_STAT_ANY: 3157 may = MAY_READ; 3158 break; 3159 case IPC_SET: 3160 case SHM_LOCK: 3161 case SHM_UNLOCK: 3162 case IPC_RMID: 3163 may = MAY_READWRITE; 3164 break; 3165 case IPC_INFO: 3166 case SHM_INFO: 3167 /* 3168 * System level information. 3169 */ 3170 return 0; 3171 default: 3172 return -EINVAL; 3173 } 3174 return smk_curacc_shm(isp, may); 3175 } 3176 3177 /** 3178 * smack_shm_shmat - Smack access for shmat 3179 * @isp: the object 3180 * @shmaddr: unused 3181 * @shmflg: access requested 3182 * 3183 * Returns 0 if current has the requested access, error code otherwise 3184 */ 3185 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3186 int shmflg) 3187 { 3188 int may; 3189 3190 may = smack_flags_to_may(shmflg); 3191 return smk_curacc_shm(isp, may); 3192 } 3193 3194 /** 3195 * smk_curacc_sem : check if current has access on sem 3196 * @isp : the object 3197 * @access : access requested 3198 * 3199 * Returns 0 if current has the requested access, error code otherwise 3200 */ 3201 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3202 { 3203 struct smack_known *ssp = smack_of_ipc(isp); 3204 struct smk_audit_info ad; 3205 int rc; 3206 3207 #ifdef CONFIG_AUDIT 3208 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3209 ad.a.u.ipc_id = isp->id; 3210 #endif 3211 rc = smk_curacc(ssp, access, &ad); 3212 rc = smk_bu_current("sem", ssp, access, rc); 3213 return rc; 3214 } 3215 3216 /** 3217 * smack_sem_associate - Smack access check for sem 3218 * @isp: the object 3219 * @semflg: access requested 3220 * 3221 * Returns 0 if current has the requested access, error code otherwise 3222 */ 3223 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3224 { 3225 int may; 3226 3227 may = smack_flags_to_may(semflg); 3228 return smk_curacc_sem(isp, may); 3229 } 3230 3231 /** 3232 * smack_sem_semctl - Smack access check for sem 3233 * @isp: the object 3234 * @cmd: what it wants to do 3235 * 3236 * Returns 0 if current has the requested access, error code otherwise 3237 */ 3238 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3239 { 3240 int may; 3241 3242 switch (cmd) { 3243 case GETPID: 3244 case GETNCNT: 3245 case GETZCNT: 3246 case GETVAL: 3247 case GETALL: 3248 case IPC_STAT: 3249 case SEM_STAT: 3250 case SEM_STAT_ANY: 3251 may = MAY_READ; 3252 break; 3253 case SETVAL: 3254 case SETALL: 3255 case IPC_RMID: 3256 case IPC_SET: 3257 may = MAY_READWRITE; 3258 break; 3259 case IPC_INFO: 3260 case SEM_INFO: 3261 /* 3262 * System level information 3263 */ 3264 return 0; 3265 default: 3266 return -EINVAL; 3267 } 3268 3269 return smk_curacc_sem(isp, may); 3270 } 3271 3272 /** 3273 * smack_sem_semop - Smack checks of semaphore operations 3274 * @isp: the object 3275 * @sops: unused 3276 * @nsops: unused 3277 * @alter: unused 3278 * 3279 * Treated as read and write in all cases. 3280 * 3281 * Returns 0 if access is allowed, error code otherwise 3282 */ 3283 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3284 unsigned nsops, int alter) 3285 { 3286 return smk_curacc_sem(isp, MAY_READWRITE); 3287 } 3288 3289 /** 3290 * smk_curacc_msq : helper to check if current has access on msq 3291 * @isp : the msq 3292 * @access : access requested 3293 * 3294 * return 0 if current has access, error otherwise 3295 */ 3296 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3297 { 3298 struct smack_known *msp = smack_of_ipc(isp); 3299 struct smk_audit_info ad; 3300 int rc; 3301 3302 #ifdef CONFIG_AUDIT 3303 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3304 ad.a.u.ipc_id = isp->id; 3305 #endif 3306 rc = smk_curacc(msp, access, &ad); 3307 rc = smk_bu_current("msq", msp, access, rc); 3308 return rc; 3309 } 3310 3311 /** 3312 * smack_msg_queue_associate - Smack access check for msg_queue 3313 * @isp: the object 3314 * @msqflg: access requested 3315 * 3316 * Returns 0 if current has the requested access, error code otherwise 3317 */ 3318 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3319 { 3320 int may; 3321 3322 may = smack_flags_to_may(msqflg); 3323 return smk_curacc_msq(isp, may); 3324 } 3325 3326 /** 3327 * smack_msg_queue_msgctl - Smack access check for msg_queue 3328 * @isp: the object 3329 * @cmd: what it wants to do 3330 * 3331 * Returns 0 if current has the requested access, error code otherwise 3332 */ 3333 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3334 { 3335 int may; 3336 3337 switch (cmd) { 3338 case IPC_STAT: 3339 case MSG_STAT: 3340 case MSG_STAT_ANY: 3341 may = MAY_READ; 3342 break; 3343 case IPC_SET: 3344 case IPC_RMID: 3345 may = MAY_READWRITE; 3346 break; 3347 case IPC_INFO: 3348 case MSG_INFO: 3349 /* 3350 * System level information 3351 */ 3352 return 0; 3353 default: 3354 return -EINVAL; 3355 } 3356 3357 return smk_curacc_msq(isp, may); 3358 } 3359 3360 /** 3361 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3362 * @isp: the object 3363 * @msg: unused 3364 * @msqflg: access requested 3365 * 3366 * Returns 0 if current has the requested access, error code otherwise 3367 */ 3368 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3369 int msqflg) 3370 { 3371 int may; 3372 3373 may = smack_flags_to_may(msqflg); 3374 return smk_curacc_msq(isp, may); 3375 } 3376 3377 /** 3378 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3379 * @isp: the object 3380 * @msg: unused 3381 * @target: unused 3382 * @type: unused 3383 * @mode: unused 3384 * 3385 * Returns 0 if current has read and write access, error code otherwise 3386 */ 3387 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3388 struct msg_msg *msg, 3389 struct task_struct *target, long type, 3390 int mode) 3391 { 3392 return smk_curacc_msq(isp, MAY_READWRITE); 3393 } 3394 3395 /** 3396 * smack_ipc_permission - Smack access for ipc_permission() 3397 * @ipp: the object permissions 3398 * @flag: access requested 3399 * 3400 * Returns 0 if current has read and write access, error code otherwise 3401 */ 3402 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3403 { 3404 struct smack_known **blob = smack_ipc(ipp); 3405 struct smack_known *iskp = *blob; 3406 int may = smack_flags_to_may(flag); 3407 struct smk_audit_info ad; 3408 int rc; 3409 3410 #ifdef CONFIG_AUDIT 3411 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3412 ad.a.u.ipc_id = ipp->id; 3413 #endif 3414 rc = smk_curacc(iskp, may, &ad); 3415 rc = smk_bu_current("svipc", iskp, may, rc); 3416 return rc; 3417 } 3418 3419 /** 3420 * smack_ipc_getsecid - Extract smack security id 3421 * @ipp: the object permissions 3422 * @secid: where result will be saved 3423 */ 3424 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3425 { 3426 struct smack_known **blob = smack_ipc(ipp); 3427 struct smack_known *iskp = *blob; 3428 3429 *secid = iskp->smk_secid; 3430 } 3431 3432 /** 3433 * smack_d_instantiate - Make sure the blob is correct on an inode 3434 * @opt_dentry: dentry where inode will be attached 3435 * @inode: the object 3436 * 3437 * Set the inode's security blob if it hasn't been done already. 3438 */ 3439 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3440 { 3441 struct super_block *sbp; 3442 struct superblock_smack *sbsp; 3443 struct inode_smack *isp; 3444 struct smack_known *skp; 3445 struct smack_known *ckp = smk_of_current(); 3446 struct smack_known *final; 3447 char trattr[TRANS_TRUE_SIZE]; 3448 int transflag = 0; 3449 int rc; 3450 struct dentry *dp; 3451 3452 if (inode == NULL) 3453 return; 3454 3455 isp = smack_inode(inode); 3456 3457 /* 3458 * If the inode is already instantiated 3459 * take the quick way out 3460 */ 3461 if (isp->smk_flags & SMK_INODE_INSTANT) 3462 return; 3463 3464 sbp = inode->i_sb; 3465 sbsp = smack_superblock(sbp); 3466 /* 3467 * We're going to use the superblock default label 3468 * if there's no label on the file. 3469 */ 3470 final = sbsp->smk_default; 3471 3472 /* 3473 * If this is the root inode the superblock 3474 * may be in the process of initialization. 3475 * If that is the case use the root value out 3476 * of the superblock. 3477 */ 3478 if (opt_dentry->d_parent == opt_dentry) { 3479 switch (sbp->s_magic) { 3480 case CGROUP_SUPER_MAGIC: 3481 case CGROUP2_SUPER_MAGIC: 3482 /* 3483 * The cgroup filesystem is never mounted, 3484 * so there's no opportunity to set the mount 3485 * options. 3486 */ 3487 sbsp->smk_root = &smack_known_star; 3488 sbsp->smk_default = &smack_known_star; 3489 isp->smk_inode = sbsp->smk_root; 3490 break; 3491 case TMPFS_MAGIC: 3492 /* 3493 * What about shmem/tmpfs anonymous files with dentry 3494 * obtained from d_alloc_pseudo()? 3495 */ 3496 isp->smk_inode = smk_of_current(); 3497 break; 3498 case PIPEFS_MAGIC: 3499 isp->smk_inode = smk_of_current(); 3500 break; 3501 case SOCKFS_MAGIC: 3502 /* 3503 * Socket access is controlled by the socket 3504 * structures associated with the task involved. 3505 */ 3506 isp->smk_inode = &smack_known_star; 3507 break; 3508 default: 3509 isp->smk_inode = sbsp->smk_root; 3510 break; 3511 } 3512 isp->smk_flags |= SMK_INODE_INSTANT; 3513 return; 3514 } 3515 3516 /* 3517 * This is pretty hackish. 3518 * Casey says that we shouldn't have to do 3519 * file system specific code, but it does help 3520 * with keeping it simple. 3521 */ 3522 switch (sbp->s_magic) { 3523 case SMACK_MAGIC: 3524 case CGROUP_SUPER_MAGIC: 3525 case CGROUP2_SUPER_MAGIC: 3526 /* 3527 * Casey says that it's a little embarrassing 3528 * that the smack file system doesn't do 3529 * extended attributes. 3530 * 3531 * Cgroupfs is special 3532 */ 3533 final = &smack_known_star; 3534 break; 3535 case DEVPTS_SUPER_MAGIC: 3536 /* 3537 * devpts seems content with the label of the task. 3538 * Programs that change smack have to treat the 3539 * pty with respect. 3540 */ 3541 final = ckp; 3542 break; 3543 case PROC_SUPER_MAGIC: 3544 /* 3545 * Casey says procfs appears not to care. 3546 * The superblock default suffices. 3547 */ 3548 break; 3549 case TMPFS_MAGIC: 3550 /* 3551 * Device labels should come from the filesystem, 3552 * but watch out, because they're volitile, 3553 * getting recreated on every reboot. 3554 */ 3555 final = &smack_known_star; 3556 /* 3557 * If a smack value has been set we want to use it, 3558 * but since tmpfs isn't giving us the opportunity 3559 * to set mount options simulate setting the 3560 * superblock default. 3561 */ 3562 fallthrough; 3563 default: 3564 /* 3565 * This isn't an understood special case. 3566 * Get the value from the xattr. 3567 */ 3568 3569 /* 3570 * UNIX domain sockets use lower level socket data. 3571 */ 3572 if (S_ISSOCK(inode->i_mode)) { 3573 final = &smack_known_star; 3574 break; 3575 } 3576 /* 3577 * No xattr support means, alas, no SMACK label. 3578 * Use the aforeapplied default. 3579 * It would be curious if the label of the task 3580 * does not match that assigned. 3581 */ 3582 if (!(inode->i_opflags & IOP_XATTR)) 3583 break; 3584 /* 3585 * Get the dentry for xattr. 3586 */ 3587 dp = dget(opt_dentry); 3588 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3589 if (!IS_ERR_OR_NULL(skp)) 3590 final = skp; 3591 3592 /* 3593 * Transmuting directory 3594 */ 3595 if (S_ISDIR(inode->i_mode)) { 3596 /* 3597 * If this is a new directory and the label was 3598 * transmuted when the inode was initialized 3599 * set the transmute attribute on the directory 3600 * and mark the inode. 3601 * 3602 * If there is a transmute attribute on the 3603 * directory mark the inode. 3604 */ 3605 rc = __vfs_getxattr(dp, inode, 3606 XATTR_NAME_SMACKTRANSMUTE, trattr, 3607 TRANS_TRUE_SIZE); 3608 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3609 TRANS_TRUE_SIZE) != 0) 3610 rc = -EINVAL; 3611 if (rc >= 0) 3612 transflag = SMK_INODE_TRANSMUTE; 3613 } 3614 /* 3615 * Don't let the exec or mmap label be "*" or "@". 3616 */ 3617 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3618 if (IS_ERR(skp) || skp == &smack_known_star || 3619 skp == &smack_known_web) 3620 skp = NULL; 3621 isp->smk_task = skp; 3622 3623 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3624 if (IS_ERR(skp) || skp == &smack_known_star || 3625 skp == &smack_known_web) 3626 skp = NULL; 3627 isp->smk_mmap = skp; 3628 3629 dput(dp); 3630 break; 3631 } 3632 3633 if (final == NULL) 3634 isp->smk_inode = ckp; 3635 else 3636 isp->smk_inode = final; 3637 3638 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3639 3640 return; 3641 } 3642 3643 /** 3644 * smack_getselfattr - Smack current process attribute 3645 * @attr: which attribute to fetch 3646 * @ctx: buffer to receive the result 3647 * @size: available size in, actual size out 3648 * @flags: unused 3649 * 3650 * Fill the passed user space @ctx with the details of the requested 3651 * attribute. 3652 * 3653 * Returns the number of attributes on success, an error code otherwise. 3654 * There will only ever be one attribute. 3655 */ 3656 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3657 u32 *size, u32 flags) 3658 { 3659 int rc; 3660 struct smack_known *skp; 3661 3662 if (attr != LSM_ATTR_CURRENT) 3663 return -EOPNOTSUPP; 3664 3665 skp = smk_of_current(); 3666 rc = lsm_fill_user_ctx(ctx, size, 3667 skp->smk_known, strlen(skp->smk_known) + 1, 3668 LSM_ID_SMACK, 0); 3669 return (!rc ? 1 : rc); 3670 } 3671 3672 /** 3673 * smack_getprocattr - Smack process attribute access 3674 * @p: the object task 3675 * @name: the name of the attribute in /proc/.../attr 3676 * @value: where to put the result 3677 * 3678 * Places a copy of the task Smack into value 3679 * 3680 * Returns the length of the smack label or an error code 3681 */ 3682 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3683 { 3684 struct smack_known *skp = smk_of_task_struct_obj(p); 3685 char *cp; 3686 int slen; 3687 3688 if (strcmp(name, "current") != 0) 3689 return -EINVAL; 3690 3691 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3692 if (cp == NULL) 3693 return -ENOMEM; 3694 3695 slen = strlen(cp); 3696 *value = cp; 3697 return slen; 3698 } 3699 3700 /** 3701 * do_setattr - Smack process attribute setting 3702 * @attr: the ID of the attribute 3703 * @value: the value to set 3704 * @size: the size of the value 3705 * 3706 * Sets the Smack value of the task. Only setting self 3707 * is permitted and only with privilege 3708 * 3709 * Returns the length of the smack label or an error code 3710 */ 3711 static int do_setattr(u64 attr, void *value, size_t size) 3712 { 3713 struct task_smack *tsp = smack_cred(current_cred()); 3714 struct cred *new; 3715 struct smack_known *skp; 3716 struct smack_known_list_elem *sklep; 3717 int rc; 3718 3719 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3720 return -EPERM; 3721 3722 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3723 return -EINVAL; 3724 3725 if (attr != LSM_ATTR_CURRENT) 3726 return -EOPNOTSUPP; 3727 3728 skp = smk_import_entry(value, size); 3729 if (IS_ERR(skp)) 3730 return PTR_ERR(skp); 3731 3732 /* 3733 * No process is ever allowed the web ("@") label 3734 * and the star ("*") label. 3735 */ 3736 if (skp == &smack_known_web || skp == &smack_known_star) 3737 return -EINVAL; 3738 3739 if (!smack_privileged(CAP_MAC_ADMIN)) { 3740 rc = -EPERM; 3741 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3742 if (sklep->smk_label == skp) { 3743 rc = 0; 3744 break; 3745 } 3746 if (rc) 3747 return rc; 3748 } 3749 3750 new = prepare_creds(); 3751 if (new == NULL) 3752 return -ENOMEM; 3753 3754 tsp = smack_cred(new); 3755 tsp->smk_task = skp; 3756 /* 3757 * process can change its label only once 3758 */ 3759 smk_destroy_label_list(&tsp->smk_relabel); 3760 3761 commit_creds(new); 3762 return size; 3763 } 3764 3765 /** 3766 * smack_setselfattr - Set a Smack process attribute 3767 * @attr: which attribute to set 3768 * @ctx: buffer containing the data 3769 * @size: size of @ctx 3770 * @flags: unused 3771 * 3772 * Fill the passed user space @ctx with the details of the requested 3773 * attribute. 3774 * 3775 * Returns 0 on success, an error code otherwise. 3776 */ 3777 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3778 u32 size, u32 flags) 3779 { 3780 int rc; 3781 3782 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3783 if (rc > 0) 3784 return 0; 3785 return rc; 3786 } 3787 3788 /** 3789 * smack_setprocattr - Smack process attribute setting 3790 * @name: the name of the attribute in /proc/.../attr 3791 * @value: the value to set 3792 * @size: the size of the value 3793 * 3794 * Sets the Smack value of the task. Only setting self 3795 * is permitted and only with privilege 3796 * 3797 * Returns the length of the smack label or an error code 3798 */ 3799 static int smack_setprocattr(const char *name, void *value, size_t size) 3800 { 3801 int attr = lsm_name_to_attr(name); 3802 3803 if (attr != LSM_ATTR_UNDEF) 3804 return do_setattr(attr, value, size); 3805 return -EINVAL; 3806 } 3807 3808 /** 3809 * smack_unix_stream_connect - Smack access on UDS 3810 * @sock: one sock 3811 * @other: the other sock 3812 * @newsk: unused 3813 * 3814 * Return 0 if a subject with the smack of sock could access 3815 * an object with the smack of other, otherwise an error code 3816 */ 3817 static int smack_unix_stream_connect(struct sock *sock, 3818 struct sock *other, struct sock *newsk) 3819 { 3820 struct smack_known *skp; 3821 struct smack_known *okp; 3822 struct socket_smack *ssp = sock->sk_security; 3823 struct socket_smack *osp = other->sk_security; 3824 struct socket_smack *nsp = newsk->sk_security; 3825 struct smk_audit_info ad; 3826 int rc = 0; 3827 #ifdef CONFIG_AUDIT 3828 struct lsm_network_audit net; 3829 #endif 3830 3831 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3832 skp = ssp->smk_out; 3833 okp = osp->smk_in; 3834 #ifdef CONFIG_AUDIT 3835 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3836 smk_ad_setfield_u_net_sk(&ad, other); 3837 #endif 3838 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3839 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3840 if (rc == 0) { 3841 okp = osp->smk_out; 3842 skp = ssp->smk_in; 3843 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3844 rc = smk_bu_note("UDS connect", okp, skp, 3845 MAY_WRITE, rc); 3846 } 3847 } 3848 3849 /* 3850 * Cross reference the peer labels for SO_PEERSEC. 3851 */ 3852 if (rc == 0) { 3853 nsp->smk_packet = ssp->smk_out; 3854 ssp->smk_packet = osp->smk_out; 3855 } 3856 3857 return rc; 3858 } 3859 3860 /** 3861 * smack_unix_may_send - Smack access on UDS 3862 * @sock: one socket 3863 * @other: the other socket 3864 * 3865 * Return 0 if a subject with the smack of sock could access 3866 * an object with the smack of other, otherwise an error code 3867 */ 3868 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3869 { 3870 struct socket_smack *ssp = sock->sk->sk_security; 3871 struct socket_smack *osp = other->sk->sk_security; 3872 struct smk_audit_info ad; 3873 int rc; 3874 3875 #ifdef CONFIG_AUDIT 3876 struct lsm_network_audit net; 3877 3878 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3879 smk_ad_setfield_u_net_sk(&ad, other->sk); 3880 #endif 3881 3882 if (smack_privileged(CAP_MAC_OVERRIDE)) 3883 return 0; 3884 3885 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3886 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3887 return rc; 3888 } 3889 3890 /** 3891 * smack_socket_sendmsg - Smack check based on destination host 3892 * @sock: the socket 3893 * @msg: the message 3894 * @size: the size of the message 3895 * 3896 * Return 0 if the current subject can write to the destination host. 3897 * For IPv4 this is only a question if the destination is a single label host. 3898 * For IPv6 this is a check against the label of the port. 3899 */ 3900 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3901 int size) 3902 { 3903 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3904 #if IS_ENABLED(CONFIG_IPV6) 3905 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3906 #endif 3907 #ifdef SMACK_IPV6_SECMARK_LABELING 3908 struct socket_smack *ssp = sock->sk->sk_security; 3909 struct smack_known *rsp; 3910 #endif 3911 int rc = 0; 3912 3913 /* 3914 * Perfectly reasonable for this to be NULL 3915 */ 3916 if (sip == NULL) 3917 return 0; 3918 3919 switch (sock->sk->sk_family) { 3920 case AF_INET: 3921 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3922 sip->sin_family != AF_INET) 3923 return -EINVAL; 3924 rc = smk_ipv4_check(sock->sk, sip); 3925 break; 3926 #if IS_ENABLED(CONFIG_IPV6) 3927 case AF_INET6: 3928 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3929 sap->sin6_family != AF_INET6) 3930 return -EINVAL; 3931 #ifdef SMACK_IPV6_SECMARK_LABELING 3932 rsp = smack_ipv6host_label(sap); 3933 if (rsp != NULL) 3934 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3935 SMK_CONNECTING); 3936 #endif 3937 #ifdef SMACK_IPV6_PORT_LABELING 3938 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3939 #endif 3940 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3941 break; 3942 } 3943 return rc; 3944 } 3945 3946 /** 3947 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3948 * @sap: netlabel secattr 3949 * @ssp: socket security information 3950 * 3951 * Returns a pointer to a Smack label entry found on the label list. 3952 */ 3953 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3954 struct socket_smack *ssp) 3955 { 3956 struct smack_known *skp; 3957 int found = 0; 3958 int acat; 3959 int kcat; 3960 3961 /* 3962 * Netlabel found it in the cache. 3963 */ 3964 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3965 return (struct smack_known *)sap->cache->data; 3966 3967 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3968 /* 3969 * Looks like a fallback, which gives us a secid. 3970 */ 3971 return smack_from_secid(sap->attr.secid); 3972 3973 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3974 /* 3975 * Looks like a CIPSO packet. 3976 * If there are flags but no level netlabel isn't 3977 * behaving the way we expect it to. 3978 * 3979 * Look it up in the label table 3980 * Without guidance regarding the smack value 3981 * for the packet fall back on the network 3982 * ambient value. 3983 */ 3984 rcu_read_lock(); 3985 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3986 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3987 continue; 3988 /* 3989 * Compare the catsets. Use the netlbl APIs. 3990 */ 3991 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3992 if ((skp->smk_netlabel.flags & 3993 NETLBL_SECATTR_MLS_CAT) == 0) 3994 found = 1; 3995 break; 3996 } 3997 for (acat = -1, kcat = -1; acat == kcat; ) { 3998 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3999 acat + 1); 4000 kcat = netlbl_catmap_walk( 4001 skp->smk_netlabel.attr.mls.cat, 4002 kcat + 1); 4003 if (acat < 0 || kcat < 0) 4004 break; 4005 } 4006 if (acat == kcat) { 4007 found = 1; 4008 break; 4009 } 4010 } 4011 rcu_read_unlock(); 4012 4013 if (found) 4014 return skp; 4015 4016 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4017 return &smack_known_web; 4018 return &smack_known_star; 4019 } 4020 /* 4021 * Without guidance regarding the smack value 4022 * for the packet fall back on the network 4023 * ambient value. 4024 */ 4025 return smack_net_ambient; 4026 } 4027 4028 #if IS_ENABLED(CONFIG_IPV6) 4029 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4030 { 4031 u8 nexthdr; 4032 int offset; 4033 int proto = -EINVAL; 4034 struct ipv6hdr _ipv6h; 4035 struct ipv6hdr *ip6; 4036 __be16 frag_off; 4037 struct tcphdr _tcph, *th; 4038 struct udphdr _udph, *uh; 4039 struct dccp_hdr _dccph, *dh; 4040 4041 sip->sin6_port = 0; 4042 4043 offset = skb_network_offset(skb); 4044 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4045 if (ip6 == NULL) 4046 return -EINVAL; 4047 sip->sin6_addr = ip6->saddr; 4048 4049 nexthdr = ip6->nexthdr; 4050 offset += sizeof(_ipv6h); 4051 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4052 if (offset < 0) 4053 return -EINVAL; 4054 4055 proto = nexthdr; 4056 switch (proto) { 4057 case IPPROTO_TCP: 4058 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4059 if (th != NULL) 4060 sip->sin6_port = th->source; 4061 break; 4062 case IPPROTO_UDP: 4063 case IPPROTO_UDPLITE: 4064 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4065 if (uh != NULL) 4066 sip->sin6_port = uh->source; 4067 break; 4068 case IPPROTO_DCCP: 4069 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4070 if (dh != NULL) 4071 sip->sin6_port = dh->dccph_sport; 4072 break; 4073 } 4074 return proto; 4075 } 4076 #endif /* CONFIG_IPV6 */ 4077 4078 /** 4079 * smack_from_skb - Smack data from the secmark in an skb 4080 * @skb: packet 4081 * 4082 * Returns smack_known of the secmark or NULL if that won't work. 4083 */ 4084 #ifdef CONFIG_NETWORK_SECMARK 4085 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4086 { 4087 if (skb == NULL || skb->secmark == 0) 4088 return NULL; 4089 4090 return smack_from_secid(skb->secmark); 4091 } 4092 #else 4093 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4094 { 4095 return NULL; 4096 } 4097 #endif 4098 4099 /** 4100 * smack_from_netlbl - Smack data from the IP options in an skb 4101 * @sk: socket data came in on 4102 * @family: address family 4103 * @skb: packet 4104 * 4105 * Find the Smack label in the IP options. If it hasn't been 4106 * added to the netlabel cache, add it here. 4107 * 4108 * Returns smack_known of the IP options or NULL if that won't work. 4109 */ 4110 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4111 struct sk_buff *skb) 4112 { 4113 struct netlbl_lsm_secattr secattr; 4114 struct socket_smack *ssp = NULL; 4115 struct smack_known *skp = NULL; 4116 4117 netlbl_secattr_init(&secattr); 4118 4119 if (sk) 4120 ssp = sk->sk_security; 4121 4122 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4123 skp = smack_from_secattr(&secattr, ssp); 4124 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4125 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4126 } 4127 4128 netlbl_secattr_destroy(&secattr); 4129 4130 return skp; 4131 } 4132 4133 /** 4134 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4135 * @sk: socket 4136 * @skb: packet 4137 * 4138 * Returns 0 if the packet should be delivered, an error code otherwise 4139 */ 4140 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4141 { 4142 struct socket_smack *ssp = sk->sk_security; 4143 struct smack_known *skp = NULL; 4144 int rc = 0; 4145 struct smk_audit_info ad; 4146 u16 family = sk->sk_family; 4147 #ifdef CONFIG_AUDIT 4148 struct lsm_network_audit net; 4149 #endif 4150 #if IS_ENABLED(CONFIG_IPV6) 4151 struct sockaddr_in6 sadd; 4152 int proto; 4153 4154 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4155 family = PF_INET; 4156 #endif /* CONFIG_IPV6 */ 4157 4158 switch (family) { 4159 case PF_INET: 4160 /* 4161 * If there is a secmark use it rather than the CIPSO label. 4162 * If there is no secmark fall back to CIPSO. 4163 * The secmark is assumed to reflect policy better. 4164 */ 4165 skp = smack_from_skb(skb); 4166 if (skp == NULL) { 4167 skp = smack_from_netlbl(sk, family, skb); 4168 if (skp == NULL) 4169 skp = smack_net_ambient; 4170 } 4171 4172 #ifdef CONFIG_AUDIT 4173 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4174 ad.a.u.net->family = family; 4175 ad.a.u.net->netif = skb->skb_iif; 4176 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4177 #endif 4178 /* 4179 * Receiving a packet requires that the other end 4180 * be able to write here. Read access is not required. 4181 * This is the simplist possible security model 4182 * for networking. 4183 */ 4184 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4185 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4186 MAY_WRITE, rc); 4187 if (rc != 0) 4188 netlbl_skbuff_err(skb, family, rc, 0); 4189 break; 4190 #if IS_ENABLED(CONFIG_IPV6) 4191 case PF_INET6: 4192 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4193 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4194 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4195 break; 4196 #ifdef SMACK_IPV6_SECMARK_LABELING 4197 skp = smack_from_skb(skb); 4198 if (skp == NULL) { 4199 if (smk_ipv6_localhost(&sadd)) 4200 break; 4201 skp = smack_ipv6host_label(&sadd); 4202 if (skp == NULL) 4203 skp = smack_net_ambient; 4204 } 4205 #ifdef CONFIG_AUDIT 4206 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4207 ad.a.u.net->family = family; 4208 ad.a.u.net->netif = skb->skb_iif; 4209 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4210 #endif /* CONFIG_AUDIT */ 4211 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4212 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4213 MAY_WRITE, rc); 4214 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4215 #ifdef SMACK_IPV6_PORT_LABELING 4216 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4217 #endif /* SMACK_IPV6_PORT_LABELING */ 4218 if (rc != 0) 4219 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4220 ICMPV6_ADM_PROHIBITED, 0); 4221 break; 4222 #endif /* CONFIG_IPV6 */ 4223 } 4224 4225 return rc; 4226 } 4227 4228 /** 4229 * smack_socket_getpeersec_stream - pull in packet label 4230 * @sock: the socket 4231 * @optval: user's destination 4232 * @optlen: size thereof 4233 * @len: max thereof 4234 * 4235 * returns zero on success, an error code otherwise 4236 */ 4237 static int smack_socket_getpeersec_stream(struct socket *sock, 4238 sockptr_t optval, sockptr_t optlen, 4239 unsigned int len) 4240 { 4241 struct socket_smack *ssp; 4242 char *rcp = ""; 4243 u32 slen = 1; 4244 int rc = 0; 4245 4246 ssp = sock->sk->sk_security; 4247 if (ssp->smk_packet != NULL) { 4248 rcp = ssp->smk_packet->smk_known; 4249 slen = strlen(rcp) + 1; 4250 } 4251 if (slen > len) { 4252 rc = -ERANGE; 4253 goto out_len; 4254 } 4255 4256 if (copy_to_sockptr(optval, rcp, slen)) 4257 rc = -EFAULT; 4258 out_len: 4259 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4260 rc = -EFAULT; 4261 return rc; 4262 } 4263 4264 4265 /** 4266 * smack_socket_getpeersec_dgram - pull in packet label 4267 * @sock: the peer socket 4268 * @skb: packet data 4269 * @secid: pointer to where to put the secid of the packet 4270 * 4271 * Sets the netlabel socket state on sk from parent 4272 */ 4273 static int smack_socket_getpeersec_dgram(struct socket *sock, 4274 struct sk_buff *skb, u32 *secid) 4275 4276 { 4277 struct socket_smack *ssp = NULL; 4278 struct smack_known *skp; 4279 struct sock *sk = NULL; 4280 int family = PF_UNSPEC; 4281 u32 s = 0; /* 0 is the invalid secid */ 4282 4283 if (skb != NULL) { 4284 if (skb->protocol == htons(ETH_P_IP)) 4285 family = PF_INET; 4286 #if IS_ENABLED(CONFIG_IPV6) 4287 else if (skb->protocol == htons(ETH_P_IPV6)) 4288 family = PF_INET6; 4289 #endif /* CONFIG_IPV6 */ 4290 } 4291 if (family == PF_UNSPEC && sock != NULL) 4292 family = sock->sk->sk_family; 4293 4294 switch (family) { 4295 case PF_UNIX: 4296 ssp = sock->sk->sk_security; 4297 s = ssp->smk_out->smk_secid; 4298 break; 4299 case PF_INET: 4300 skp = smack_from_skb(skb); 4301 if (skp) { 4302 s = skp->smk_secid; 4303 break; 4304 } 4305 /* 4306 * Translate what netlabel gave us. 4307 */ 4308 if (sock != NULL) 4309 sk = sock->sk; 4310 skp = smack_from_netlbl(sk, family, skb); 4311 if (skp != NULL) 4312 s = skp->smk_secid; 4313 break; 4314 case PF_INET6: 4315 #ifdef SMACK_IPV6_SECMARK_LABELING 4316 skp = smack_from_skb(skb); 4317 if (skp) 4318 s = skp->smk_secid; 4319 #endif 4320 break; 4321 } 4322 *secid = s; 4323 if (s == 0) 4324 return -EINVAL; 4325 return 0; 4326 } 4327 4328 /** 4329 * smack_sock_graft - Initialize a newly created socket with an existing sock 4330 * @sk: child sock 4331 * @parent: parent socket 4332 * 4333 * Set the smk_{in,out} state of an existing sock based on the process that 4334 * is creating the new socket. 4335 */ 4336 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4337 { 4338 struct socket_smack *ssp; 4339 struct smack_known *skp = smk_of_current(); 4340 4341 if (sk == NULL || 4342 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4343 return; 4344 4345 ssp = sk->sk_security; 4346 ssp->smk_in = skp; 4347 ssp->smk_out = skp; 4348 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4349 } 4350 4351 /** 4352 * smack_inet_conn_request - Smack access check on connect 4353 * @sk: socket involved 4354 * @skb: packet 4355 * @req: unused 4356 * 4357 * Returns 0 if a task with the packet label could write to 4358 * the socket, otherwise an error code 4359 */ 4360 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4361 struct request_sock *req) 4362 { 4363 u16 family = sk->sk_family; 4364 struct smack_known *skp; 4365 struct socket_smack *ssp = sk->sk_security; 4366 struct sockaddr_in addr; 4367 struct iphdr *hdr; 4368 struct smack_known *hskp; 4369 int rc; 4370 struct smk_audit_info ad; 4371 #ifdef CONFIG_AUDIT 4372 struct lsm_network_audit net; 4373 #endif 4374 4375 #if IS_ENABLED(CONFIG_IPV6) 4376 if (family == PF_INET6) { 4377 /* 4378 * Handle mapped IPv4 packets arriving 4379 * via IPv6 sockets. Don't set up netlabel 4380 * processing on IPv6. 4381 */ 4382 if (skb->protocol == htons(ETH_P_IP)) 4383 family = PF_INET; 4384 else 4385 return 0; 4386 } 4387 #endif /* CONFIG_IPV6 */ 4388 4389 /* 4390 * If there is a secmark use it rather than the CIPSO label. 4391 * If there is no secmark fall back to CIPSO. 4392 * The secmark is assumed to reflect policy better. 4393 */ 4394 skp = smack_from_skb(skb); 4395 if (skp == NULL) { 4396 skp = smack_from_netlbl(sk, family, skb); 4397 if (skp == NULL) 4398 skp = &smack_known_huh; 4399 } 4400 4401 #ifdef CONFIG_AUDIT 4402 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4403 ad.a.u.net->family = family; 4404 ad.a.u.net->netif = skb->skb_iif; 4405 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4406 #endif 4407 /* 4408 * Receiving a packet requires that the other end be able to write 4409 * here. Read access is not required. 4410 */ 4411 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4412 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4413 if (rc != 0) 4414 return rc; 4415 4416 /* 4417 * Save the peer's label in the request_sock so we can later setup 4418 * smk_packet in the child socket so that SO_PEERCRED can report it. 4419 */ 4420 req->peer_secid = skp->smk_secid; 4421 4422 /* 4423 * We need to decide if we want to label the incoming connection here 4424 * if we do we only need to label the request_sock and the stack will 4425 * propagate the wire-label to the sock when it is created. 4426 */ 4427 hdr = ip_hdr(skb); 4428 addr.sin_addr.s_addr = hdr->saddr; 4429 rcu_read_lock(); 4430 hskp = smack_ipv4host_label(&addr); 4431 rcu_read_unlock(); 4432 4433 if (hskp == NULL) 4434 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4435 else 4436 netlbl_req_delattr(req); 4437 4438 return rc; 4439 } 4440 4441 /** 4442 * smack_inet_csk_clone - Copy the connection information to the new socket 4443 * @sk: the new socket 4444 * @req: the connection's request_sock 4445 * 4446 * Transfer the connection's peer label to the newly created socket. 4447 */ 4448 static void smack_inet_csk_clone(struct sock *sk, 4449 const struct request_sock *req) 4450 { 4451 struct socket_smack *ssp = sk->sk_security; 4452 struct smack_known *skp; 4453 4454 if (req->peer_secid != 0) { 4455 skp = smack_from_secid(req->peer_secid); 4456 ssp->smk_packet = skp; 4457 } else 4458 ssp->smk_packet = NULL; 4459 } 4460 4461 /* 4462 * Key management security hooks 4463 * 4464 * Casey has not tested key support very heavily. 4465 * The permission check is most likely too restrictive. 4466 * If you care about keys please have a look. 4467 */ 4468 #ifdef CONFIG_KEYS 4469 4470 /** 4471 * smack_key_alloc - Set the key security blob 4472 * @key: object 4473 * @cred: the credentials to use 4474 * @flags: unused 4475 * 4476 * No allocation required 4477 * 4478 * Returns 0 4479 */ 4480 static int smack_key_alloc(struct key *key, const struct cred *cred, 4481 unsigned long flags) 4482 { 4483 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4484 4485 key->security = skp; 4486 return 0; 4487 } 4488 4489 /** 4490 * smack_key_free - Clear the key security blob 4491 * @key: the object 4492 * 4493 * Clear the blob pointer 4494 */ 4495 static void smack_key_free(struct key *key) 4496 { 4497 key->security = NULL; 4498 } 4499 4500 /** 4501 * smack_key_permission - Smack access on a key 4502 * @key_ref: gets to the object 4503 * @cred: the credentials to use 4504 * @need_perm: requested key permission 4505 * 4506 * Return 0 if the task has read and write to the object, 4507 * an error code otherwise 4508 */ 4509 static int smack_key_permission(key_ref_t key_ref, 4510 const struct cred *cred, 4511 enum key_need_perm need_perm) 4512 { 4513 struct key *keyp; 4514 struct smk_audit_info ad; 4515 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4516 int request = 0; 4517 int rc; 4518 4519 /* 4520 * Validate requested permissions 4521 */ 4522 switch (need_perm) { 4523 case KEY_NEED_READ: 4524 case KEY_NEED_SEARCH: 4525 case KEY_NEED_VIEW: 4526 request |= MAY_READ; 4527 break; 4528 case KEY_NEED_WRITE: 4529 case KEY_NEED_LINK: 4530 case KEY_NEED_SETATTR: 4531 request |= MAY_WRITE; 4532 break; 4533 case KEY_NEED_UNSPECIFIED: 4534 case KEY_NEED_UNLINK: 4535 case KEY_SYSADMIN_OVERRIDE: 4536 case KEY_AUTHTOKEN_OVERRIDE: 4537 case KEY_DEFER_PERM_CHECK: 4538 return 0; 4539 default: 4540 return -EINVAL; 4541 } 4542 4543 keyp = key_ref_to_ptr(key_ref); 4544 if (keyp == NULL) 4545 return -EINVAL; 4546 /* 4547 * If the key hasn't been initialized give it access so that 4548 * it may do so. 4549 */ 4550 if (keyp->security == NULL) 4551 return 0; 4552 /* 4553 * This should not occur 4554 */ 4555 if (tkp == NULL) 4556 return -EACCES; 4557 4558 if (smack_privileged(CAP_MAC_OVERRIDE)) 4559 return 0; 4560 4561 #ifdef CONFIG_AUDIT 4562 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4563 ad.a.u.key_struct.key = keyp->serial; 4564 ad.a.u.key_struct.key_desc = keyp->description; 4565 #endif 4566 rc = smk_access(tkp, keyp->security, request, &ad); 4567 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4568 return rc; 4569 } 4570 4571 /* 4572 * smack_key_getsecurity - Smack label tagging the key 4573 * @key points to the key to be queried 4574 * @_buffer points to a pointer that should be set to point to the 4575 * resulting string (if no label or an error occurs). 4576 * Return the length of the string (including terminating NUL) or -ve if 4577 * an error. 4578 * May also return 0 (and a NULL buffer pointer) if there is no label. 4579 */ 4580 static int smack_key_getsecurity(struct key *key, char **_buffer) 4581 { 4582 struct smack_known *skp = key->security; 4583 size_t length; 4584 char *copy; 4585 4586 if (key->security == NULL) { 4587 *_buffer = NULL; 4588 return 0; 4589 } 4590 4591 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4592 if (copy == NULL) 4593 return -ENOMEM; 4594 length = strlen(copy) + 1; 4595 4596 *_buffer = copy; 4597 return length; 4598 } 4599 4600 4601 #ifdef CONFIG_KEY_NOTIFICATIONS 4602 /** 4603 * smack_watch_key - Smack access to watch a key for notifications. 4604 * @key: The key to be watched 4605 * 4606 * Return 0 if the @watch->cred has permission to read from the key object and 4607 * an error otherwise. 4608 */ 4609 static int smack_watch_key(struct key *key) 4610 { 4611 struct smk_audit_info ad; 4612 struct smack_known *tkp = smk_of_current(); 4613 int rc; 4614 4615 if (key == NULL) 4616 return -EINVAL; 4617 /* 4618 * If the key hasn't been initialized give it access so that 4619 * it may do so. 4620 */ 4621 if (key->security == NULL) 4622 return 0; 4623 /* 4624 * This should not occur 4625 */ 4626 if (tkp == NULL) 4627 return -EACCES; 4628 4629 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4630 return 0; 4631 4632 #ifdef CONFIG_AUDIT 4633 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4634 ad.a.u.key_struct.key = key->serial; 4635 ad.a.u.key_struct.key_desc = key->description; 4636 #endif 4637 rc = smk_access(tkp, key->security, MAY_READ, &ad); 4638 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); 4639 return rc; 4640 } 4641 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4642 #endif /* CONFIG_KEYS */ 4643 4644 #ifdef CONFIG_WATCH_QUEUE 4645 /** 4646 * smack_post_notification - Smack access to post a notification to a queue 4647 * @w_cred: The credentials of the watcher. 4648 * @cred: The credentials of the event source (may be NULL). 4649 * @n: The notification message to be posted. 4650 */ 4651 static int smack_post_notification(const struct cred *w_cred, 4652 const struct cred *cred, 4653 struct watch_notification *n) 4654 { 4655 struct smk_audit_info ad; 4656 struct smack_known *subj, *obj; 4657 int rc; 4658 4659 /* Always let maintenance notifications through. */ 4660 if (n->type == WATCH_TYPE_META) 4661 return 0; 4662 4663 if (!cred) 4664 return 0; 4665 subj = smk_of_task(smack_cred(cred)); 4666 obj = smk_of_task(smack_cred(w_cred)); 4667 4668 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4669 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4670 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4671 return rc; 4672 } 4673 #endif /* CONFIG_WATCH_QUEUE */ 4674 4675 /* 4676 * Smack Audit hooks 4677 * 4678 * Audit requires a unique representation of each Smack specific 4679 * rule. This unique representation is used to distinguish the 4680 * object to be audited from remaining kernel objects and also 4681 * works as a glue between the audit hooks. 4682 * 4683 * Since repository entries are added but never deleted, we'll use 4684 * the smack_known label address related to the given audit rule as 4685 * the needed unique representation. This also better fits the smack 4686 * model where nearly everything is a label. 4687 */ 4688 #ifdef CONFIG_AUDIT 4689 4690 /** 4691 * smack_audit_rule_init - Initialize a smack audit rule 4692 * @field: audit rule fields given from user-space (audit.h) 4693 * @op: required testing operator (=, !=, >, <, ...) 4694 * @rulestr: smack label to be audited 4695 * @vrule: pointer to save our own audit rule representation 4696 * @gfp: type of the memory for the allocation 4697 * 4698 * Prepare to audit cases where (@field @op @rulestr) is true. 4699 * The label to be audited is created if necessay. 4700 */ 4701 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4702 gfp_t gfp) 4703 { 4704 struct smack_known *skp; 4705 char **rule = (char **)vrule; 4706 *rule = NULL; 4707 4708 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4709 return -EINVAL; 4710 4711 if (op != Audit_equal && op != Audit_not_equal) 4712 return -EINVAL; 4713 4714 skp = smk_import_entry(rulestr, 0); 4715 if (IS_ERR(skp)) 4716 return PTR_ERR(skp); 4717 4718 *rule = skp->smk_known; 4719 4720 return 0; 4721 } 4722 4723 /** 4724 * smack_audit_rule_known - Distinguish Smack audit rules 4725 * @krule: rule of interest, in Audit kernel representation format 4726 * 4727 * This is used to filter Smack rules from remaining Audit ones. 4728 * If it's proved that this rule belongs to us, the 4729 * audit_rule_match hook will be called to do the final judgement. 4730 */ 4731 static int smack_audit_rule_known(struct audit_krule *krule) 4732 { 4733 struct audit_field *f; 4734 int i; 4735 4736 for (i = 0; i < krule->field_count; i++) { 4737 f = &krule->fields[i]; 4738 4739 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4740 return 1; 4741 } 4742 4743 return 0; 4744 } 4745 4746 /** 4747 * smack_audit_rule_match - Audit given object ? 4748 * @secid: security id for identifying the object to test 4749 * @field: audit rule flags given from user-space 4750 * @op: required testing operator 4751 * @vrule: smack internal rule presentation 4752 * 4753 * The core Audit hook. It's used to take the decision of 4754 * whether to audit or not to audit a given object. 4755 */ 4756 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4757 { 4758 struct smack_known *skp; 4759 char *rule = vrule; 4760 4761 if (unlikely(!rule)) { 4762 WARN_ONCE(1, "Smack: missing rule\n"); 4763 return -ENOENT; 4764 } 4765 4766 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4767 return 0; 4768 4769 skp = smack_from_secid(secid); 4770 4771 /* 4772 * No need to do string comparisons. If a match occurs, 4773 * both pointers will point to the same smack_known 4774 * label. 4775 */ 4776 if (op == Audit_equal) 4777 return (rule == skp->smk_known); 4778 if (op == Audit_not_equal) 4779 return (rule != skp->smk_known); 4780 4781 return 0; 4782 } 4783 4784 /* 4785 * There is no need for a smack_audit_rule_free hook. 4786 * No memory was allocated. 4787 */ 4788 4789 #endif /* CONFIG_AUDIT */ 4790 4791 /** 4792 * smack_ismaclabel - check if xattr @name references a smack MAC label 4793 * @name: Full xattr name to check. 4794 */ 4795 static int smack_ismaclabel(const char *name) 4796 { 4797 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4798 } 4799 4800 4801 /** 4802 * smack_secid_to_secctx - return the smack label for a secid 4803 * @secid: incoming integer 4804 * @secdata: destination 4805 * @seclen: how long it is 4806 * 4807 * Exists for networking code. 4808 */ 4809 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4810 { 4811 struct smack_known *skp = smack_from_secid(secid); 4812 4813 if (secdata) 4814 *secdata = skp->smk_known; 4815 *seclen = strlen(skp->smk_known); 4816 return 0; 4817 } 4818 4819 /** 4820 * smack_secctx_to_secid - return the secid for a smack label 4821 * @secdata: smack label 4822 * @seclen: how long result is 4823 * @secid: outgoing integer 4824 * 4825 * Exists for audit and networking code. 4826 */ 4827 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4828 { 4829 struct smack_known *skp = smk_find_entry(secdata); 4830 4831 if (skp) 4832 *secid = skp->smk_secid; 4833 else 4834 *secid = 0; 4835 return 0; 4836 } 4837 4838 /* 4839 * There used to be a smack_release_secctx hook 4840 * that did nothing back when hooks were in a vector. 4841 * Now that there's a list such a hook adds cost. 4842 */ 4843 4844 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4845 { 4846 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4847 ctxlen, 0); 4848 } 4849 4850 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4851 { 4852 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4853 ctx, ctxlen, 0); 4854 } 4855 4856 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4857 { 4858 struct smack_known *skp = smk_of_inode(inode); 4859 4860 *ctx = skp->smk_known; 4861 *ctxlen = strlen(skp->smk_known); 4862 return 0; 4863 } 4864 4865 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4866 { 4867 4868 struct task_smack *tsp; 4869 struct smack_known *skp; 4870 struct inode_smack *isp; 4871 struct cred *new_creds = *new; 4872 4873 if (new_creds == NULL) { 4874 new_creds = prepare_creds(); 4875 if (new_creds == NULL) 4876 return -ENOMEM; 4877 } 4878 4879 tsp = smack_cred(new_creds); 4880 4881 /* 4882 * Get label from overlay inode and set it in create_sid 4883 */ 4884 isp = smack_inode(d_inode(dentry)); 4885 skp = isp->smk_inode; 4886 tsp->smk_task = skp; 4887 *new = new_creds; 4888 return 0; 4889 } 4890 4891 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4892 { 4893 /* 4894 * Return 1 if this is the smack access Smack attribute. 4895 */ 4896 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4897 return 1; 4898 4899 return -EOPNOTSUPP; 4900 } 4901 4902 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4903 struct qstr *name, 4904 const struct cred *old, 4905 struct cred *new) 4906 { 4907 struct task_smack *otsp = smack_cred(old); 4908 struct task_smack *ntsp = smack_cred(new); 4909 struct inode_smack *isp; 4910 int may; 4911 4912 /* 4913 * Use the process credential unless all of 4914 * the transmuting criteria are met 4915 */ 4916 ntsp->smk_task = otsp->smk_task; 4917 4918 /* 4919 * the attribute of the containing directory 4920 */ 4921 isp = smack_inode(d_inode(dentry->d_parent)); 4922 4923 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4924 rcu_read_lock(); 4925 may = smk_access_entry(otsp->smk_task->smk_known, 4926 isp->smk_inode->smk_known, 4927 &otsp->smk_task->smk_rules); 4928 rcu_read_unlock(); 4929 4930 /* 4931 * If the directory is transmuting and the rule 4932 * providing access is transmuting use the containing 4933 * directory label instead of the process label. 4934 */ 4935 if (may > 0 && (may & MAY_TRANSMUTE)) { 4936 ntsp->smk_task = isp->smk_inode; 4937 ntsp->smk_transmuted = ntsp->smk_task; 4938 } 4939 } 4940 return 0; 4941 } 4942 4943 #ifdef CONFIG_IO_URING 4944 /** 4945 * smack_uring_override_creds - Is io_uring cred override allowed? 4946 * @new: the target creds 4947 * 4948 * Check to see if the current task is allowed to override it's credentials 4949 * to service an io_uring operation. 4950 */ 4951 static int smack_uring_override_creds(const struct cred *new) 4952 { 4953 struct task_smack *tsp = smack_cred(current_cred()); 4954 struct task_smack *nsp = smack_cred(new); 4955 4956 /* 4957 * Allow the degenerate case where the new Smack value is 4958 * the same as the current Smack value. 4959 */ 4960 if (tsp->smk_task == nsp->smk_task) 4961 return 0; 4962 4963 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4964 return 0; 4965 4966 return -EPERM; 4967 } 4968 4969 /** 4970 * smack_uring_sqpoll - check if a io_uring polling thread can be created 4971 * 4972 * Check to see if the current task is allowed to create a new io_uring 4973 * kernel polling thread. 4974 */ 4975 static int smack_uring_sqpoll(void) 4976 { 4977 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4978 return 0; 4979 4980 return -EPERM; 4981 } 4982 4983 /** 4984 * smack_uring_cmd - check on file operations for io_uring 4985 * @ioucmd: the command in question 4986 * 4987 * Make a best guess about whether a io_uring "command" should 4988 * be allowed. Use the same logic used for determining if the 4989 * file could be opened for read in the absence of better criteria. 4990 */ 4991 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 4992 { 4993 struct file *file = ioucmd->file; 4994 struct smk_audit_info ad; 4995 struct task_smack *tsp; 4996 struct inode *inode; 4997 int rc; 4998 4999 if (!file) 5000 return -EINVAL; 5001 5002 tsp = smack_cred(file->f_cred); 5003 inode = file_inode(file); 5004 5005 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5006 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5007 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5008 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5009 5010 return rc; 5011 } 5012 5013 #endif /* CONFIG_IO_URING */ 5014 5015 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5016 .lbs_cred = sizeof(struct task_smack), 5017 .lbs_file = sizeof(struct smack_known *), 5018 .lbs_inode = sizeof(struct inode_smack), 5019 .lbs_ipc = sizeof(struct smack_known *), 5020 .lbs_msg_msg = sizeof(struct smack_known *), 5021 .lbs_superblock = sizeof(struct superblock_smack), 5022 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5023 }; 5024 5025 static const struct lsm_id smack_lsmid = { 5026 .name = "smack", 5027 .id = LSM_ID_SMACK, 5028 }; 5029 5030 static struct security_hook_list smack_hooks[] __ro_after_init = { 5031 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5032 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5033 LSM_HOOK_INIT(syslog, smack_syslog), 5034 5035 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5036 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5037 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5038 5039 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5040 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5041 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5042 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5043 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5044 5045 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5046 5047 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5048 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5049 LSM_HOOK_INIT(inode_link, smack_inode_link), 5050 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5051 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5052 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5053 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5054 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5055 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5056 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5057 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5058 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5059 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5060 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5061 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5062 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5063 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5064 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5065 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5066 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 5067 5068 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5069 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5070 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5071 LSM_HOOK_INIT(file_lock, smack_file_lock), 5072 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5073 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5074 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5075 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5076 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5077 LSM_HOOK_INIT(file_receive, smack_file_receive), 5078 5079 LSM_HOOK_INIT(file_open, smack_file_open), 5080 5081 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5082 LSM_HOOK_INIT(cred_free, smack_cred_free), 5083 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5084 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5085 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5086 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5087 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5088 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5089 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5090 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5091 LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), 5092 LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), 5093 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5094 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5095 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5096 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5097 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5098 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5099 LSM_HOOK_INIT(task_kill, smack_task_kill), 5100 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5101 5102 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5103 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 5104 5105 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5106 5107 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5108 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5109 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5110 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5111 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5112 5113 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5114 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5115 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5116 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5117 5118 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5119 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5120 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5121 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5122 5123 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5124 5125 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5126 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5127 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5128 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5129 5130 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5131 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5132 5133 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5134 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5135 #ifdef SMACK_IPV6_PORT_LABELING 5136 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5137 #endif 5138 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5139 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5140 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5141 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5142 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5143 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5144 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5145 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5146 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5147 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5148 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5149 5150 /* key management security hooks */ 5151 #ifdef CONFIG_KEYS 5152 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5153 LSM_HOOK_INIT(key_free, smack_key_free), 5154 LSM_HOOK_INIT(key_permission, smack_key_permission), 5155 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5156 #ifdef CONFIG_KEY_NOTIFICATIONS 5157 LSM_HOOK_INIT(watch_key, smack_watch_key), 5158 #endif 5159 #endif /* CONFIG_KEYS */ 5160 5161 #ifdef CONFIG_WATCH_QUEUE 5162 LSM_HOOK_INIT(post_notification, smack_post_notification), 5163 #endif 5164 5165 /* Audit hooks */ 5166 #ifdef CONFIG_AUDIT 5167 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5168 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5169 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5170 #endif /* CONFIG_AUDIT */ 5171 5172 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5173 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5174 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5175 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5176 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5177 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5178 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5179 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5180 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5181 #ifdef CONFIG_IO_URING 5182 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5183 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5184 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5185 #endif 5186 }; 5187 5188 5189 static __init void init_smack_known_list(void) 5190 { 5191 /* 5192 * Initialize rule list locks 5193 */ 5194 mutex_init(&smack_known_huh.smk_rules_lock); 5195 mutex_init(&smack_known_hat.smk_rules_lock); 5196 mutex_init(&smack_known_floor.smk_rules_lock); 5197 mutex_init(&smack_known_star.smk_rules_lock); 5198 mutex_init(&smack_known_web.smk_rules_lock); 5199 /* 5200 * Initialize rule lists 5201 */ 5202 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5203 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5204 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5205 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5206 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5207 /* 5208 * Create the known labels list 5209 */ 5210 smk_insert_entry(&smack_known_huh); 5211 smk_insert_entry(&smack_known_hat); 5212 smk_insert_entry(&smack_known_star); 5213 smk_insert_entry(&smack_known_floor); 5214 smk_insert_entry(&smack_known_web); 5215 } 5216 5217 /** 5218 * smack_init - initialize the smack system 5219 * 5220 * Returns 0 on success, -ENOMEM is there's no memory 5221 */ 5222 static __init int smack_init(void) 5223 { 5224 struct cred *cred = (struct cred *) current->cred; 5225 struct task_smack *tsp; 5226 5227 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5228 if (!smack_rule_cache) 5229 return -ENOMEM; 5230 5231 /* 5232 * Set the security state for the initial task. 5233 */ 5234 tsp = smack_cred(cred); 5235 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5236 5237 /* 5238 * Register with LSM 5239 */ 5240 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5241 smack_enabled = 1; 5242 5243 pr_info("Smack: Initializing.\n"); 5244 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5245 pr_info("Smack: Netfilter enabled.\n"); 5246 #endif 5247 #ifdef SMACK_IPV6_PORT_LABELING 5248 pr_info("Smack: IPv6 port labeling enabled.\n"); 5249 #endif 5250 #ifdef SMACK_IPV6_SECMARK_LABELING 5251 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5252 #endif 5253 5254 /* initialize the smack_known_list */ 5255 init_smack_known_list(); 5256 5257 return 0; 5258 } 5259 5260 /* 5261 * Smack requires early initialization in order to label 5262 * all processes and objects when they are created. 5263 */ 5264 DEFINE_LSM(smack) = { 5265 .name = "smack", 5266 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5267 .blobs = &smack_blob_sizes, 5268 .init = smack_init, 5269 }; 5270