1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/icmpv6.h> 28 #include <linux/slab.h> 29 #include <linux/mutex.h> 30 #include <net/cipso_ipv4.h> 31 #include <net/ip.h> 32 #include <net/ipv6.h> 33 #include <linux/audit.h> 34 #include <linux/magic.h> 35 #include <linux/dcache.h> 36 #include <linux/personality.h> 37 #include <linux/msg.h> 38 #include <linux/shm.h> 39 #include <uapi/linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include <linux/watch_queue.h> 45 #include <linux/io_uring/cmd.h> 46 #include <uapi/linux/lsm.h> 47 #include "smack.h" 48 49 #define TRANS_TRUE "TRUE" 50 #define TRANS_TRUE_SIZE 4 51 52 #define SMK_CONNECTING 0 53 #define SMK_RECEIVING 1 54 #define SMK_SENDING 2 55 56 /* 57 * Smack uses multiple xattrs. 58 * SMACK64 - for access control, 59 * SMACK64TRANSMUTE - label initialization, 60 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 61 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 62 */ 63 #define SMACK_INODE_INIT_XATTRS 2 64 65 #ifdef SMACK_IPV6_PORT_LABELING 66 static DEFINE_MUTEX(smack_ipv6_lock); 67 static LIST_HEAD(smk_ipv6_port_list); 68 #endif 69 struct kmem_cache *smack_rule_cache; 70 int smack_enabled __initdata; 71 72 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 73 static struct { 74 const char *name; 75 int len; 76 int opt; 77 } smk_mount_opts[] = { 78 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 79 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 80 }; 81 #undef A 82 83 static int match_opt_prefix(char *s, int l, char **arg) 84 { 85 int i; 86 87 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 88 size_t len = smk_mount_opts[i].len; 89 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 90 continue; 91 if (len == l || s[len] != '=') 92 continue; 93 *arg = s + len + 1; 94 return smk_mount_opts[i].opt; 95 } 96 return Opt_error; 97 } 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static char *smk_bu_mess[] = { 101 "Bringup Error", /* Unused */ 102 "Bringup", /* SMACK_BRINGUP_ALLOW */ 103 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 104 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 105 }; 106 107 static void smk_bu_mode(int mode, char *s) 108 { 109 smack_str_from_perm(s, mode); 110 } 111 #endif 112 113 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 114 static int smk_bu_note(char *note, struct smack_known *sskp, 115 struct smack_known *oskp, int mode, int rc) 116 { 117 char acc[SMK_NUM_ACCESS_TYPE + 1]; 118 119 if (rc <= 0) 120 return rc; 121 if (rc > SMACK_UNCONFINED_OBJECT) 122 rc = 0; 123 124 smk_bu_mode(mode, acc); 125 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 126 sskp->smk_known, oskp->smk_known, acc, note); 127 return 0; 128 } 129 #else 130 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 131 #endif 132 133 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 134 static int smk_bu_current(char *note, struct smack_known *oskp, 135 int mode, int rc) 136 { 137 struct task_smack *tsp = smack_cred(current_cred()); 138 char acc[SMK_NUM_ACCESS_TYPE + 1]; 139 140 if (rc <= 0) 141 return rc; 142 if (rc > SMACK_UNCONFINED_OBJECT) 143 rc = 0; 144 145 smk_bu_mode(mode, acc); 146 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 147 tsp->smk_task->smk_known, oskp->smk_known, 148 acc, current->comm, note); 149 return 0; 150 } 151 #else 152 #define smk_bu_current(note, oskp, mode, RC) (RC) 153 #endif 154 155 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 156 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 157 { 158 struct task_smack *tsp = smack_cred(current_cred()); 159 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 160 char acc[SMK_NUM_ACCESS_TYPE + 1]; 161 162 if (rc <= 0) 163 return rc; 164 if (rc > SMACK_UNCONFINED_OBJECT) 165 rc = 0; 166 167 smk_bu_mode(mode, acc); 168 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 169 tsp->smk_task->smk_known, smk_task->smk_known, acc, 170 current->comm, otp->comm); 171 return 0; 172 } 173 #else 174 #define smk_bu_task(otp, mode, RC) (RC) 175 #endif 176 177 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 178 static int smk_bu_inode(struct inode *inode, int mode, int rc) 179 { 180 struct task_smack *tsp = smack_cred(current_cred()); 181 struct inode_smack *isp = smack_inode(inode); 182 char acc[SMK_NUM_ACCESS_TYPE + 1]; 183 184 if (isp->smk_flags & SMK_INODE_IMPURE) 185 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 188 if (rc <= 0) 189 return rc; 190 if (rc > SMACK_UNCONFINED_OBJECT) 191 rc = 0; 192 if (rc == SMACK_UNCONFINED_SUBJECT && 193 (mode & (MAY_WRITE | MAY_APPEND))) 194 isp->smk_flags |= SMK_INODE_IMPURE; 195 196 smk_bu_mode(mode, acc); 197 198 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 199 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 200 inode->i_sb->s_id, inode->i_ino, current->comm); 201 return 0; 202 } 203 #else 204 #define smk_bu_inode(inode, mode, RC) (RC) 205 #endif 206 207 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 208 static int smk_bu_file(struct file *file, int mode, int rc) 209 { 210 struct task_smack *tsp = smack_cred(current_cred()); 211 struct smack_known *sskp = tsp->smk_task; 212 struct inode *inode = file_inode(file); 213 struct inode_smack *isp = smack_inode(inode); 214 char acc[SMK_NUM_ACCESS_TYPE + 1]; 215 216 if (isp->smk_flags & SMK_INODE_IMPURE) 217 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 218 inode->i_sb->s_id, inode->i_ino, current->comm); 219 220 if (rc <= 0) 221 return rc; 222 if (rc > SMACK_UNCONFINED_OBJECT) 223 rc = 0; 224 225 smk_bu_mode(mode, acc); 226 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 227 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 228 inode->i_sb->s_id, inode->i_ino, file, 229 current->comm); 230 return 0; 231 } 232 #else 233 #define smk_bu_file(file, mode, RC) (RC) 234 #endif 235 236 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 237 static int smk_bu_credfile(const struct cred *cred, struct file *file, 238 int mode, int rc) 239 { 240 struct task_smack *tsp = smack_cred(cred); 241 struct smack_known *sskp = tsp->smk_task; 242 struct inode *inode = file_inode(file); 243 struct inode_smack *isp = smack_inode(inode); 244 char acc[SMK_NUM_ACCESS_TYPE + 1]; 245 246 if (isp->smk_flags & SMK_INODE_IMPURE) 247 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 248 inode->i_sb->s_id, inode->i_ino, current->comm); 249 250 if (rc <= 0) 251 return rc; 252 if (rc > SMACK_UNCONFINED_OBJECT) 253 rc = 0; 254 255 smk_bu_mode(mode, acc); 256 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 257 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 258 inode->i_sb->s_id, inode->i_ino, file, 259 current->comm); 260 return 0; 261 } 262 #else 263 #define smk_bu_credfile(cred, file, mode, RC) (RC) 264 #endif 265 266 /** 267 * smk_fetch - Fetch the smack label from a file. 268 * @name: type of the label (attribute) 269 * @ip: a pointer to the inode 270 * @dp: a pointer to the dentry 271 * 272 * Returns a pointer to the master list entry for the Smack label, 273 * NULL if there was no label to fetch, or an error code. 274 */ 275 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 276 struct dentry *dp) 277 { 278 int rc; 279 char *buffer; 280 struct smack_known *skp = NULL; 281 282 if (!(ip->i_opflags & IOP_XATTR)) 283 return ERR_PTR(-EOPNOTSUPP); 284 285 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 286 if (buffer == NULL) 287 return ERR_PTR(-ENOMEM); 288 289 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 290 if (rc < 0) 291 skp = ERR_PTR(rc); 292 else if (rc == 0) 293 skp = NULL; 294 else 295 skp = smk_import_entry(buffer, rc); 296 297 kfree(buffer); 298 299 return skp; 300 } 301 302 /** 303 * init_inode_smack - initialize an inode security blob 304 * @inode: inode to extract the info from 305 * @skp: a pointer to the Smack label entry to use in the blob 306 * 307 */ 308 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 309 { 310 struct inode_smack *isp = smack_inode(inode); 311 312 isp->smk_inode = skp; 313 isp->smk_flags = 0; 314 } 315 316 /** 317 * init_task_smack - initialize a task security blob 318 * @tsp: blob to initialize 319 * @task: a pointer to the Smack label for the running task 320 * @forked: a pointer to the Smack label for the forked task 321 * 322 */ 323 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 324 struct smack_known *forked) 325 { 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 } 332 333 /** 334 * smk_copy_rules - copy a rule set 335 * @nhead: new rules header pointer 336 * @ohead: old rules header pointer 337 * @gfp: type of the memory for the allocation 338 * 339 * Returns 0 on success, -ENOMEM on error 340 */ 341 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 342 gfp_t gfp) 343 { 344 struct smack_rule *nrp; 345 struct smack_rule *orp; 346 int rc = 0; 347 348 list_for_each_entry_rcu(orp, ohead, list) { 349 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 350 if (nrp == NULL) { 351 rc = -ENOMEM; 352 break; 353 } 354 *nrp = *orp; 355 list_add_rcu(&nrp->list, nhead); 356 } 357 return rc; 358 } 359 360 /** 361 * smk_copy_relabel - copy smk_relabel labels list 362 * @nhead: new rules header pointer 363 * @ohead: old rules header pointer 364 * @gfp: type of the memory for the allocation 365 * 366 * Returns 0 on success, -ENOMEM on error 367 */ 368 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 369 gfp_t gfp) 370 { 371 struct smack_known_list_elem *nklep; 372 struct smack_known_list_elem *oklep; 373 374 list_for_each_entry(oklep, ohead, list) { 375 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 376 if (nklep == NULL) { 377 smk_destroy_label_list(nhead); 378 return -ENOMEM; 379 } 380 nklep->smk_label = oklep->smk_label; 381 list_add(&nklep->list, nhead); 382 } 383 384 return 0; 385 } 386 387 /** 388 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 389 * @mode: input mode in form of PTRACE_MODE_* 390 * 391 * Returns a converted MAY_* mode usable by smack rules 392 */ 393 static inline unsigned int smk_ptrace_mode(unsigned int mode) 394 { 395 if (mode & PTRACE_MODE_ATTACH) 396 return MAY_READWRITE; 397 if (mode & PTRACE_MODE_READ) 398 return MAY_READ; 399 400 return 0; 401 } 402 403 /** 404 * smk_ptrace_rule_check - helper for ptrace access 405 * @tracer: tracer process 406 * @tracee_known: label entry of the process that's about to be traced 407 * @mode: ptrace attachment mode (PTRACE_MODE_*) 408 * @func: name of the function that called us, used for audit 409 * 410 * Returns 0 on access granted, -error on error 411 */ 412 static int smk_ptrace_rule_check(struct task_struct *tracer, 413 struct smack_known *tracee_known, 414 unsigned int mode, const char *func) 415 { 416 int rc; 417 struct smk_audit_info ad, *saip = NULL; 418 struct task_smack *tsp; 419 struct smack_known *tracer_known; 420 const struct cred *tracercred; 421 422 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 423 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 424 smk_ad_setfield_u_tsk(&ad, tracer); 425 saip = &ad; 426 } 427 428 rcu_read_lock(); 429 tracercred = __task_cred(tracer); 430 tsp = smack_cred(tracercred); 431 tracer_known = smk_of_task(tsp); 432 433 if ((mode & PTRACE_MODE_ATTACH) && 434 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 435 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 436 if (tracer_known->smk_known == tracee_known->smk_known) 437 rc = 0; 438 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 439 rc = -EACCES; 440 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 441 rc = 0; 442 else 443 rc = -EACCES; 444 445 if (saip) 446 smack_log(tracer_known->smk_known, 447 tracee_known->smk_known, 448 0, rc, saip); 449 450 rcu_read_unlock(); 451 return rc; 452 } 453 454 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 455 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 456 457 rcu_read_unlock(); 458 return rc; 459 } 460 461 /* 462 * LSM hooks. 463 * We he, that is fun! 464 */ 465 466 /** 467 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 468 * @ctp: child task pointer 469 * @mode: ptrace attachment mode (PTRACE_MODE_*) 470 * 471 * Returns 0 if access is OK, an error code otherwise 472 * 473 * Do the capability checks. 474 */ 475 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 476 { 477 struct smack_known *skp; 478 479 skp = smk_of_task_struct_obj(ctp); 480 481 return smk_ptrace_rule_check(current, skp, mode, __func__); 482 } 483 484 /** 485 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 486 * @ptp: parent task pointer 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks, and require PTRACE_MODE_ATTACH. 491 */ 492 static int smack_ptrace_traceme(struct task_struct *ptp) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task(smack_cred(current_cred())); 497 498 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 499 } 500 501 /** 502 * smack_syslog - Smack approval on syslog 503 * @typefrom_file: unused 504 * 505 * Returns 0 on success, error code otherwise. 506 */ 507 static int smack_syslog(int typefrom_file) 508 { 509 int rc = 0; 510 struct smack_known *skp = smk_of_current(); 511 512 if (smack_privileged(CAP_MAC_OVERRIDE)) 513 return 0; 514 515 if (smack_syslog_label != NULL && smack_syslog_label != skp) 516 rc = -EACCES; 517 518 return rc; 519 } 520 521 /* 522 * Superblock Hooks. 523 */ 524 525 /** 526 * smack_sb_alloc_security - allocate a superblock blob 527 * @sb: the superblock getting the blob 528 * 529 * Returns 0 on success or -ENOMEM on error. 530 */ 531 static int smack_sb_alloc_security(struct super_block *sb) 532 { 533 struct superblock_smack *sbsp = smack_superblock(sb); 534 535 sbsp->smk_root = &smack_known_floor; 536 sbsp->smk_default = &smack_known_floor; 537 sbsp->smk_floor = &smack_known_floor; 538 sbsp->smk_hat = &smack_known_hat; 539 /* 540 * SMK_SB_INITIALIZED will be zero from kzalloc. 541 */ 542 543 return 0; 544 } 545 546 struct smack_mnt_opts { 547 const char *fsdefault; 548 const char *fsfloor; 549 const char *fshat; 550 const char *fsroot; 551 const char *fstransmute; 552 }; 553 554 static void smack_free_mnt_opts(void *mnt_opts) 555 { 556 kfree(mnt_opts); 557 } 558 559 static int smack_add_opt(int token, const char *s, void **mnt_opts) 560 { 561 struct smack_mnt_opts *opts = *mnt_opts; 562 struct smack_known *skp; 563 564 if (!opts) { 565 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 566 if (!opts) 567 return -ENOMEM; 568 *mnt_opts = opts; 569 } 570 if (!s) 571 return -ENOMEM; 572 573 skp = smk_import_entry(s, 0); 574 if (IS_ERR(skp)) 575 return PTR_ERR(skp); 576 577 switch (token) { 578 case Opt_fsdefault: 579 if (opts->fsdefault) 580 goto out_opt_err; 581 opts->fsdefault = skp->smk_known; 582 break; 583 case Opt_fsfloor: 584 if (opts->fsfloor) 585 goto out_opt_err; 586 opts->fsfloor = skp->smk_known; 587 break; 588 case Opt_fshat: 589 if (opts->fshat) 590 goto out_opt_err; 591 opts->fshat = skp->smk_known; 592 break; 593 case Opt_fsroot: 594 if (opts->fsroot) 595 goto out_opt_err; 596 opts->fsroot = skp->smk_known; 597 break; 598 case Opt_fstransmute: 599 if (opts->fstransmute) 600 goto out_opt_err; 601 opts->fstransmute = skp->smk_known; 602 break; 603 } 604 return 0; 605 606 out_opt_err: 607 pr_warn("Smack: duplicate mount options\n"); 608 return -EINVAL; 609 } 610 611 /** 612 * smack_fs_context_submount - Initialise security data for a filesystem context 613 * @fc: The filesystem context. 614 * @reference: reference superblock 615 * 616 * Returns 0 on success or -ENOMEM on error. 617 */ 618 static int smack_fs_context_submount(struct fs_context *fc, 619 struct super_block *reference) 620 { 621 struct superblock_smack *sbsp; 622 struct smack_mnt_opts *ctx; 623 struct inode_smack *isp; 624 625 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 626 if (!ctx) 627 return -ENOMEM; 628 fc->security = ctx; 629 630 sbsp = smack_superblock(reference); 631 isp = smack_inode(reference->s_root->d_inode); 632 633 if (sbsp->smk_default) { 634 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 635 if (!ctx->fsdefault) 636 return -ENOMEM; 637 } 638 639 if (sbsp->smk_floor) { 640 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 641 if (!ctx->fsfloor) 642 return -ENOMEM; 643 } 644 645 if (sbsp->smk_hat) { 646 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 647 if (!ctx->fshat) 648 return -ENOMEM; 649 } 650 651 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 652 if (sbsp->smk_root) { 653 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 654 if (!ctx->fstransmute) 655 return -ENOMEM; 656 } 657 } 658 return 0; 659 } 660 661 /** 662 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 663 * @fc: The new filesystem context. 664 * @src_fc: The source filesystem context being duplicated. 665 * 666 * Returns 0 on success or -ENOMEM on error. 667 */ 668 static int smack_fs_context_dup(struct fs_context *fc, 669 struct fs_context *src_fc) 670 { 671 struct smack_mnt_opts *dst, *src = src_fc->security; 672 673 if (!src) 674 return 0; 675 676 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 677 if (!fc->security) 678 return -ENOMEM; 679 680 dst = fc->security; 681 dst->fsdefault = src->fsdefault; 682 dst->fsfloor = src->fsfloor; 683 dst->fshat = src->fshat; 684 dst->fsroot = src->fsroot; 685 dst->fstransmute = src->fstransmute; 686 687 return 0; 688 } 689 690 static const struct fs_parameter_spec smack_fs_parameters[] = { 691 fsparam_string("smackfsdef", Opt_fsdefault), 692 fsparam_string("smackfsdefault", Opt_fsdefault), 693 fsparam_string("smackfsfloor", Opt_fsfloor), 694 fsparam_string("smackfshat", Opt_fshat), 695 fsparam_string("smackfsroot", Opt_fsroot), 696 fsparam_string("smackfstransmute", Opt_fstransmute), 697 {} 698 }; 699 700 /** 701 * smack_fs_context_parse_param - Parse a single mount parameter 702 * @fc: The new filesystem context being constructed. 703 * @param: The parameter. 704 * 705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 706 * error. 707 */ 708 static int smack_fs_context_parse_param(struct fs_context *fc, 709 struct fs_parameter *param) 710 { 711 struct fs_parse_result result; 712 int opt, rc; 713 714 opt = fs_parse(fc, smack_fs_parameters, param, &result); 715 if (opt < 0) 716 return opt; 717 718 rc = smack_add_opt(opt, param->string, &fc->security); 719 if (!rc) 720 param->string = NULL; 721 return rc; 722 } 723 724 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 725 { 726 char *from = options, *to = options; 727 bool first = true; 728 729 while (1) { 730 char *next = strchr(from, ','); 731 int token, len, rc; 732 char *arg = NULL; 733 734 if (next) 735 len = next - from; 736 else 737 len = strlen(from); 738 739 token = match_opt_prefix(from, len, &arg); 740 if (token != Opt_error) { 741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 742 rc = smack_add_opt(token, arg, mnt_opts); 743 kfree(arg); 744 if (unlikely(rc)) { 745 if (*mnt_opts) 746 smack_free_mnt_opts(*mnt_opts); 747 *mnt_opts = NULL; 748 return rc; 749 } 750 } else { 751 if (!first) { // copy with preceding comma 752 from--; 753 len++; 754 } 755 if (to != from) 756 memmove(to, from, len); 757 to += len; 758 first = false; 759 } 760 if (!from[len]) 761 break; 762 from += len + 1; 763 } 764 *to = '\0'; 765 return 0; 766 } 767 768 /** 769 * smack_set_mnt_opts - set Smack specific mount options 770 * @sb: the file system superblock 771 * @mnt_opts: Smack mount options 772 * @kern_flags: mount option from kernel space or user space 773 * @set_kern_flags: where to store converted mount opts 774 * 775 * Returns 0 on success, an error code on failure 776 * 777 * Allow filesystems with binary mount data to explicitly set Smack mount 778 * labels. 779 */ 780 static int smack_set_mnt_opts(struct super_block *sb, 781 void *mnt_opts, 782 unsigned long kern_flags, 783 unsigned long *set_kern_flags) 784 { 785 struct dentry *root = sb->s_root; 786 struct inode *inode = d_backing_inode(root); 787 struct superblock_smack *sp = smack_superblock(sb); 788 struct inode_smack *isp; 789 struct smack_known *skp; 790 struct smack_mnt_opts *opts = mnt_opts; 791 bool transmute = false; 792 793 if (sp->smk_flags & SMK_SB_INITIALIZED) 794 return 0; 795 796 if (!smack_privileged(CAP_MAC_ADMIN)) { 797 /* 798 * Unprivileged mounts don't get to specify Smack values. 799 */ 800 if (opts) 801 return -EPERM; 802 /* 803 * Unprivileged mounts get root and default from the caller. 804 */ 805 skp = smk_of_current(); 806 sp->smk_root = skp; 807 sp->smk_default = skp; 808 /* 809 * For a handful of fs types with no user-controlled 810 * backing store it's okay to trust security labels 811 * in the filesystem. The rest are untrusted. 812 */ 813 if (sb->s_user_ns != &init_user_ns && 814 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 815 sb->s_magic != RAMFS_MAGIC) { 816 transmute = true; 817 sp->smk_flags |= SMK_SB_UNTRUSTED; 818 } 819 } 820 821 sp->smk_flags |= SMK_SB_INITIALIZED; 822 823 if (opts) { 824 if (opts->fsdefault) { 825 skp = smk_import_entry(opts->fsdefault, 0); 826 if (IS_ERR(skp)) 827 return PTR_ERR(skp); 828 sp->smk_default = skp; 829 } 830 if (opts->fsfloor) { 831 skp = smk_import_entry(opts->fsfloor, 0); 832 if (IS_ERR(skp)) 833 return PTR_ERR(skp); 834 sp->smk_floor = skp; 835 } 836 if (opts->fshat) { 837 skp = smk_import_entry(opts->fshat, 0); 838 if (IS_ERR(skp)) 839 return PTR_ERR(skp); 840 sp->smk_hat = skp; 841 } 842 if (opts->fsroot) { 843 skp = smk_import_entry(opts->fsroot, 0); 844 if (IS_ERR(skp)) 845 return PTR_ERR(skp); 846 sp->smk_root = skp; 847 } 848 if (opts->fstransmute) { 849 skp = smk_import_entry(opts->fstransmute, 0); 850 if (IS_ERR(skp)) 851 return PTR_ERR(skp); 852 sp->smk_root = skp; 853 transmute = true; 854 } 855 } 856 857 /* 858 * Initialize the root inode. 859 */ 860 init_inode_smack(inode, sp->smk_root); 861 862 if (transmute) { 863 isp = smack_inode(inode); 864 isp->smk_flags |= SMK_INODE_TRANSMUTE; 865 } 866 867 return 0; 868 } 869 870 /** 871 * smack_sb_statfs - Smack check on statfs 872 * @dentry: identifies the file system in question 873 * 874 * Returns 0 if current can read the floor of the filesystem, 875 * and error code otherwise 876 */ 877 static int smack_sb_statfs(struct dentry *dentry) 878 { 879 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 880 int rc; 881 struct smk_audit_info ad; 882 883 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 884 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 885 886 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 887 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 888 return rc; 889 } 890 891 /* 892 * BPRM hooks 893 */ 894 895 /** 896 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 897 * @bprm: the exec information 898 * 899 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 900 */ 901 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 902 { 903 struct inode *inode = file_inode(bprm->file); 904 struct task_smack *bsp = smack_cred(bprm->cred); 905 struct inode_smack *isp; 906 struct superblock_smack *sbsp; 907 int rc; 908 909 isp = smack_inode(inode); 910 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 911 return 0; 912 913 sbsp = smack_superblock(inode->i_sb); 914 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 915 isp->smk_task != sbsp->smk_root) 916 return 0; 917 918 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 919 struct task_struct *tracer; 920 rc = 0; 921 922 rcu_read_lock(); 923 tracer = ptrace_parent(current); 924 if (likely(tracer != NULL)) 925 rc = smk_ptrace_rule_check(tracer, 926 isp->smk_task, 927 PTRACE_MODE_ATTACH, 928 __func__); 929 rcu_read_unlock(); 930 931 if (rc != 0) 932 return rc; 933 } 934 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 935 return -EPERM; 936 937 bsp->smk_task = isp->smk_task; 938 bprm->per_clear |= PER_CLEAR_ON_SETID; 939 940 /* Decide if this is a secure exec. */ 941 if (bsp->smk_task != bsp->smk_forked) 942 bprm->secureexec = 1; 943 944 return 0; 945 } 946 947 /* 948 * Inode hooks 949 */ 950 951 /** 952 * smack_inode_alloc_security - allocate an inode blob 953 * @inode: the inode in need of a blob 954 * 955 * Returns 0 956 */ 957 static int smack_inode_alloc_security(struct inode *inode) 958 { 959 struct smack_known *skp = smk_of_current(); 960 961 init_inode_smack(inode, skp); 962 return 0; 963 } 964 965 /** 966 * smk_rule_transmutes - does access rule for (subject,object) contain 't'? 967 * @subject: a pointer to the subject's Smack label entry 968 * @object: a pointer to the object's Smack label entry 969 */ 970 static bool 971 smk_rule_transmutes(struct smack_known *subject, 972 const struct smack_known *object) 973 { 974 int may; 975 976 rcu_read_lock(); 977 may = smk_access_entry(subject->smk_known, object->smk_known, 978 &subject->smk_rules); 979 rcu_read_unlock(); 980 return (may > 0) && (may & MAY_TRANSMUTE); 981 } 982 983 static int 984 xattr_dupval(struct xattr *xattrs, int *xattr_count, 985 const char *name, const void *value, unsigned int vallen) 986 { 987 struct xattr * const xattr = lsm_get_xattr_slot(xattrs, xattr_count); 988 989 if (!xattr) 990 return 0; 991 992 xattr->value = kmemdup(value, vallen, GFP_NOFS); 993 if (!xattr->value) 994 return -ENOMEM; 995 996 xattr->value_len = vallen; 997 xattr->name = name; 998 return 0; 999 } 1000 1001 /** 1002 * smack_inode_init_security - copy out the smack from an inode 1003 * @inode: the newly created inode 1004 * @dir: containing directory object 1005 * @qstr: unused 1006 * @xattrs: where to put the attributes 1007 * @xattr_count: current number of LSM-provided xattrs (updated) 1008 * 1009 * Returns 0 if it all works out, -ENOMEM if there's no memory 1010 */ 1011 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1012 const struct qstr *qstr, 1013 struct xattr *xattrs, int *xattr_count) 1014 { 1015 struct task_smack *tsp = smack_cred(current_cred()); 1016 struct inode_smack * const issp = smack_inode(inode); 1017 struct smack_known *dsp = smk_of_inode(dir); 1018 int rc = 0; 1019 int transflag = 0; 1020 bool trans_cred; 1021 bool trans_rule; 1022 1023 /* 1024 * UNIX domain sockets use lower level socket data. Let 1025 * UDS inode have fixed * label to keep smack_inode_permission() calm 1026 * when called from unix_find_bsd() 1027 */ 1028 if (S_ISSOCK(inode->i_mode)) { 1029 /* forced label, no need to save to xattrs */ 1030 issp->smk_inode = &smack_known_star; 1031 goto instant_inode; 1032 } 1033 /* 1034 * If equal, transmuting already occurred in 1035 * smack_dentry_create_files_as(). No need to check again. 1036 */ 1037 trans_cred = (tsp->smk_task == tsp->smk_transmuted); 1038 if (!trans_cred) 1039 trans_rule = smk_rule_transmutes(smk_of_task(tsp), dsp); 1040 1041 /* 1042 * In addition to having smk_task equal to smk_transmuted, 1043 * if the access rule allows transmutation and the directory 1044 * requests transmutation then by all means transmute. 1045 * Mark the inode as changed. 1046 */ 1047 if (trans_cred || (trans_rule && smk_inode_transmutable(dir))) { 1048 /* 1049 * The caller of smack_dentry_create_files_as() 1050 * should have overridden the current cred, so the 1051 * inode label was already set correctly in 1052 * smack_inode_alloc_security(). 1053 */ 1054 if (!trans_cred) 1055 issp->smk_inode = dsp; 1056 1057 if (S_ISDIR(inode->i_mode)) { 1058 transflag = SMK_INODE_TRANSMUTE; 1059 1060 if (xattr_dupval(xattrs, xattr_count, 1061 XATTR_SMACK_TRANSMUTE, 1062 TRANS_TRUE, 1063 TRANS_TRUE_SIZE 1064 )) 1065 rc = -ENOMEM; 1066 } 1067 } 1068 1069 if (rc == 0) 1070 if (xattr_dupval(xattrs, xattr_count, 1071 XATTR_SMACK_SUFFIX, 1072 issp->smk_inode->smk_known, 1073 strlen(issp->smk_inode->smk_known) 1074 )) 1075 rc = -ENOMEM; 1076 instant_inode: 1077 issp->smk_flags |= (SMK_INODE_INSTANT | transflag); 1078 return rc; 1079 } 1080 1081 /** 1082 * smack_inode_link - Smack check on link 1083 * @old_dentry: the existing object 1084 * @dir: unused 1085 * @new_dentry: the new object 1086 * 1087 * Returns 0 if access is permitted, an error code otherwise 1088 */ 1089 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1090 struct dentry *new_dentry) 1091 { 1092 struct smack_known *isp; 1093 struct smk_audit_info ad; 1094 int rc; 1095 1096 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1097 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1098 1099 isp = smk_of_inode(d_backing_inode(old_dentry)); 1100 rc = smk_curacc(isp, MAY_WRITE, &ad); 1101 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1102 1103 if (rc == 0 && d_is_positive(new_dentry)) { 1104 isp = smk_of_inode(d_backing_inode(new_dentry)); 1105 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1106 rc = smk_curacc(isp, MAY_WRITE, &ad); 1107 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1108 } 1109 1110 return rc; 1111 } 1112 1113 /** 1114 * smack_inode_unlink - Smack check on inode deletion 1115 * @dir: containing directory object 1116 * @dentry: file to unlink 1117 * 1118 * Returns 0 if current can write the containing directory 1119 * and the object, error code otherwise 1120 */ 1121 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1122 { 1123 struct inode *ip = d_backing_inode(dentry); 1124 struct smk_audit_info ad; 1125 int rc; 1126 1127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1128 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1129 1130 /* 1131 * You need write access to the thing you're unlinking 1132 */ 1133 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1134 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1135 if (rc == 0) { 1136 /* 1137 * You also need write access to the containing directory 1138 */ 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1140 smk_ad_setfield_u_fs_inode(&ad, dir); 1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1143 } 1144 return rc; 1145 } 1146 1147 /** 1148 * smack_inode_rmdir - Smack check on directory deletion 1149 * @dir: containing directory object 1150 * @dentry: directory to unlink 1151 * 1152 * Returns 0 if current can write the containing directory 1153 * and the directory, error code otherwise 1154 */ 1155 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1156 { 1157 struct smk_audit_info ad; 1158 int rc; 1159 1160 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1161 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1162 1163 /* 1164 * You need write access to the thing you're removing 1165 */ 1166 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1167 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1168 if (rc == 0) { 1169 /* 1170 * You also need write access to the containing directory 1171 */ 1172 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1173 smk_ad_setfield_u_fs_inode(&ad, dir); 1174 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1175 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1176 } 1177 1178 return rc; 1179 } 1180 1181 /** 1182 * smack_inode_rename - Smack check on rename 1183 * @old_inode: unused 1184 * @old_dentry: the old object 1185 * @new_inode: unused 1186 * @new_dentry: the new object 1187 * 1188 * Read and write access is required on both the old and 1189 * new directories. 1190 * 1191 * Returns 0 if access is permitted, an error code otherwise 1192 */ 1193 static int smack_inode_rename(struct inode *old_inode, 1194 struct dentry *old_dentry, 1195 struct inode *new_inode, 1196 struct dentry *new_dentry) 1197 { 1198 int rc; 1199 struct smack_known *isp; 1200 struct smk_audit_info ad; 1201 1202 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1203 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1204 1205 isp = smk_of_inode(d_backing_inode(old_dentry)); 1206 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1207 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1208 1209 if (rc == 0 && d_is_positive(new_dentry)) { 1210 isp = smk_of_inode(d_backing_inode(new_dentry)); 1211 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1212 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1213 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1214 } 1215 return rc; 1216 } 1217 1218 /** 1219 * smack_inode_permission - Smack version of permission() 1220 * @inode: the inode in question 1221 * @mask: the access requested 1222 * 1223 * This is the important Smack hook. 1224 * 1225 * Returns 0 if access is permitted, an error code otherwise 1226 */ 1227 static int smack_inode_permission(struct inode *inode, int mask) 1228 { 1229 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1230 struct smk_audit_info ad; 1231 int no_block = mask & MAY_NOT_BLOCK; 1232 int rc; 1233 1234 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1235 /* 1236 * No permission to check. Existence test. Yup, it's there. 1237 */ 1238 if (mask == 0) 1239 return 0; 1240 1241 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1242 if (smk_of_inode(inode) != sbsp->smk_root) 1243 return -EACCES; 1244 } 1245 1246 /* May be droppable after audit */ 1247 if (no_block) 1248 return -ECHILD; 1249 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1250 smk_ad_setfield_u_fs_inode(&ad, inode); 1251 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1252 rc = smk_bu_inode(inode, mask, rc); 1253 return rc; 1254 } 1255 1256 /** 1257 * smack_inode_setattr - Smack check for setting attributes 1258 * @idmap: idmap of the mount 1259 * @dentry: the object 1260 * @iattr: for the force flag 1261 * 1262 * Returns 0 if access is permitted, an error code otherwise 1263 */ 1264 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1265 struct iattr *iattr) 1266 { 1267 struct smk_audit_info ad; 1268 int rc; 1269 1270 /* 1271 * Need to allow for clearing the setuid bit. 1272 */ 1273 if (iattr->ia_valid & ATTR_FORCE) 1274 return 0; 1275 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1276 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1277 1278 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1279 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1280 return rc; 1281 } 1282 1283 /** 1284 * smack_inode_getattr - Smack check for getting attributes 1285 * @path: path to extract the info from 1286 * 1287 * Returns 0 if access is permitted, an error code otherwise 1288 */ 1289 static int smack_inode_getattr(const struct path *path) 1290 { 1291 struct smk_audit_info ad; 1292 struct inode *inode = d_backing_inode(path->dentry); 1293 int rc; 1294 1295 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1296 smk_ad_setfield_u_fs_path(&ad, *path); 1297 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1298 rc = smk_bu_inode(inode, MAY_READ, rc); 1299 return rc; 1300 } 1301 1302 /** 1303 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1304 * @name: name of the xattr 1305 * 1306 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1307 * named @name; the LSM layer should avoid enforcing any traditional 1308 * capability based access controls on this xattr. Returns 0 to indicate that 1309 * Smack does not "own" the access control rights to xattrs named @name and is 1310 * deferring to the LSM layer for further access controls, including capability 1311 * based controls. 1312 */ 1313 static int smack_inode_xattr_skipcap(const char *name) 1314 { 1315 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1316 return 0; 1317 1318 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1319 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1320 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1321 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1322 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1323 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1324 return 1; 1325 1326 return 0; 1327 } 1328 1329 /** 1330 * smack_inode_setxattr - Smack check for setting xattrs 1331 * @idmap: idmap of the mount 1332 * @dentry: the object 1333 * @name: name of the attribute 1334 * @value: value of the attribute 1335 * @size: size of the value 1336 * @flags: unused 1337 * 1338 * This protects the Smack attribute explicitly. 1339 * 1340 * Returns 0 if access is permitted, an error code otherwise 1341 */ 1342 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1343 struct dentry *dentry, const char *name, 1344 const void *value, size_t size, int flags) 1345 { 1346 struct smk_audit_info ad; 1347 struct smack_known *skp; 1348 int check_priv = 0; 1349 int check_import = 0; 1350 int check_star = 0; 1351 int rc = 0; 1352 umode_t const i_mode = d_backing_inode(dentry)->i_mode; 1353 1354 /* 1355 * Check label validity here so import won't fail in post_setxattr 1356 */ 1357 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1358 /* 1359 * UDS inode has fixed label 1360 */ 1361 if (S_ISSOCK(i_mode)) { 1362 rc = -EINVAL; 1363 } else { 1364 check_priv = 1; 1365 check_import = 1; 1366 } 1367 } else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1368 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1369 check_priv = 1; 1370 check_import = 1; 1371 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1372 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1373 check_priv = 1; 1374 check_import = 1; 1375 check_star = 1; 1376 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1377 check_priv = 1; 1378 if (!S_ISDIR(i_mode) || 1379 size != TRANS_TRUE_SIZE || 1380 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1381 rc = -EINVAL; 1382 } 1383 1384 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1385 rc = -EPERM; 1386 1387 if (rc == 0 && check_import) { 1388 skp = size ? smk_import_entry(value, size) : NULL; 1389 if (IS_ERR(skp)) 1390 rc = PTR_ERR(skp); 1391 else if (skp == NULL || (check_star && 1392 (skp == &smack_known_star || skp == &smack_known_web))) 1393 rc = -EINVAL; 1394 } 1395 1396 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1397 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1398 1399 if (rc == 0) { 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 } 1403 1404 return rc; 1405 } 1406 1407 /** 1408 * smack_inode_post_setxattr - Apply the Smack update approved above 1409 * @dentry: object 1410 * @name: attribute name 1411 * @value: attribute value 1412 * @size: attribute size 1413 * @flags: unused 1414 * 1415 * Set the pointer in the inode blob to the entry found 1416 * in the master label list. 1417 */ 1418 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1419 const void *value, size_t size, int flags) 1420 { 1421 struct smack_known *skp; 1422 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1423 1424 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1425 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1426 return; 1427 } 1428 1429 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1430 skp = smk_import_entry(value, size); 1431 if (!IS_ERR(skp)) 1432 isp->smk_inode = skp; 1433 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1434 skp = smk_import_entry(value, size); 1435 if (!IS_ERR(skp)) 1436 isp->smk_task = skp; 1437 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1438 skp = smk_import_entry(value, size); 1439 if (!IS_ERR(skp)) 1440 isp->smk_mmap = skp; 1441 } 1442 1443 return; 1444 } 1445 1446 /** 1447 * smack_inode_getxattr - Smack check on getxattr 1448 * @dentry: the object 1449 * @name: unused 1450 * 1451 * Returns 0 if access is permitted, an error code otherwise 1452 */ 1453 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1454 { 1455 struct smk_audit_info ad; 1456 int rc; 1457 1458 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1459 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1460 1461 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1462 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1463 return rc; 1464 } 1465 1466 /** 1467 * smack_inode_removexattr - Smack check on removexattr 1468 * @idmap: idmap of the mount 1469 * @dentry: the object 1470 * @name: name of the attribute 1471 * 1472 * Removing the Smack attribute requires CAP_MAC_ADMIN 1473 * 1474 * Returns 0 if access is permitted, an error code otherwise 1475 */ 1476 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1477 struct dentry *dentry, const char *name) 1478 { 1479 struct inode_smack *isp; 1480 struct smk_audit_info ad; 1481 int rc = 0; 1482 1483 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1484 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1485 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1486 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1487 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1488 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1489 if (!smack_privileged(CAP_MAC_ADMIN)) 1490 rc = -EPERM; 1491 } 1492 1493 if (rc != 0) 1494 return rc; 1495 1496 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1497 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1498 1499 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1500 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1501 if (rc != 0) 1502 return rc; 1503 1504 isp = smack_inode(d_backing_inode(dentry)); 1505 /* 1506 * Don't do anything special for these. 1507 * XATTR_NAME_SMACKIPIN 1508 * XATTR_NAME_SMACKIPOUT 1509 * XATTR_NAME_SMACK if S_ISSOCK (UDS inode has fixed label) 1510 */ 1511 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1512 if (!S_ISSOCK(d_backing_inode(dentry)->i_mode)) { 1513 struct super_block *sbp = dentry->d_sb; 1514 struct superblock_smack *sbsp = smack_superblock(sbp); 1515 1516 isp->smk_inode = sbsp->smk_default; 1517 } 1518 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1519 isp->smk_task = NULL; 1520 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1521 isp->smk_mmap = NULL; 1522 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1523 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1524 1525 return 0; 1526 } 1527 1528 /** 1529 * smack_inode_set_acl - Smack check for setting posix acls 1530 * @idmap: idmap of the mnt this request came from 1531 * @dentry: the object 1532 * @acl_name: name of the posix acl 1533 * @kacl: the posix acls 1534 * 1535 * Returns 0 if access is permitted, an error code otherwise 1536 */ 1537 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1538 struct dentry *dentry, const char *acl_name, 1539 struct posix_acl *kacl) 1540 { 1541 struct smk_audit_info ad; 1542 int rc; 1543 1544 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1545 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1546 1547 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1548 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1549 return rc; 1550 } 1551 1552 /** 1553 * smack_inode_get_acl - Smack check for getting posix acls 1554 * @idmap: idmap of the mnt this request came from 1555 * @dentry: the object 1556 * @acl_name: name of the posix acl 1557 * 1558 * Returns 0 if access is permitted, an error code otherwise 1559 */ 1560 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1561 struct dentry *dentry, const char *acl_name) 1562 { 1563 struct smk_audit_info ad; 1564 int rc; 1565 1566 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1567 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1568 1569 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1570 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1571 return rc; 1572 } 1573 1574 /** 1575 * smack_inode_remove_acl - Smack check for getting posix acls 1576 * @idmap: idmap of the mnt this request came from 1577 * @dentry: the object 1578 * @acl_name: name of the posix acl 1579 * 1580 * Returns 0 if access is permitted, an error code otherwise 1581 */ 1582 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1583 struct dentry *dentry, const char *acl_name) 1584 { 1585 struct smk_audit_info ad; 1586 int rc; 1587 1588 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1589 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1590 1591 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1592 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1593 return rc; 1594 } 1595 1596 /** 1597 * smack_inode_getsecurity - get smack xattrs 1598 * @idmap: idmap of the mount 1599 * @inode: the object 1600 * @name: attribute name 1601 * @buffer: where to put the result 1602 * @alloc: duplicate memory 1603 * 1604 * Returns the size of the attribute or an error code 1605 */ 1606 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1607 struct inode *inode, const char *name, 1608 void **buffer, bool alloc) 1609 { 1610 struct socket_smack *ssp; 1611 struct socket *sock; 1612 struct super_block *sbp; 1613 struct inode *ip = inode; 1614 struct smack_known *isp; 1615 struct inode_smack *ispp; 1616 size_t label_len; 1617 char *label = NULL; 1618 1619 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1620 isp = smk_of_inode(inode); 1621 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1622 ispp = smack_inode(inode); 1623 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1624 label = TRANS_TRUE; 1625 else 1626 label = ""; 1627 } else { 1628 /* 1629 * The rest of the Smack xattrs are only on sockets. 1630 */ 1631 sbp = ip->i_sb; 1632 if (sbp->s_magic != SOCKFS_MAGIC) 1633 return -EOPNOTSUPP; 1634 1635 sock = SOCKET_I(ip); 1636 if (sock == NULL || sock->sk == NULL) 1637 return -EOPNOTSUPP; 1638 1639 ssp = smack_sock(sock->sk); 1640 1641 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1642 isp = ssp->smk_in; 1643 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1644 isp = ssp->smk_out; 1645 else 1646 return -EOPNOTSUPP; 1647 } 1648 1649 if (!label) 1650 label = isp->smk_known; 1651 1652 label_len = strlen(label); 1653 1654 if (alloc) { 1655 *buffer = kstrdup(label, GFP_KERNEL); 1656 if (*buffer == NULL) 1657 return -ENOMEM; 1658 } 1659 1660 return label_len; 1661 } 1662 1663 1664 /** 1665 * smack_inode_listsecurity - list the Smack attributes 1666 * @inode: the object 1667 * @buffer: where they go 1668 * @buffer_size: size of buffer 1669 */ 1670 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1671 size_t buffer_size) 1672 { 1673 int len = sizeof(XATTR_NAME_SMACK); 1674 1675 if (buffer != NULL && len <= buffer_size) 1676 memcpy(buffer, XATTR_NAME_SMACK, len); 1677 1678 return len; 1679 } 1680 1681 /** 1682 * smack_inode_getlsmprop - Extract inode's security id 1683 * @inode: inode to extract the info from 1684 * @prop: where result will be saved 1685 */ 1686 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1687 { 1688 prop->smack.skp = smk_of_inode(inode); 1689 } 1690 1691 /* 1692 * File Hooks 1693 */ 1694 1695 /* 1696 * There is no smack_file_permission hook 1697 * 1698 * Should access checks be done on each read or write? 1699 * UNICOS and SELinux say yes. 1700 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1701 * 1702 * I'll say no for now. Smack does not do the frequent 1703 * label changing that SELinux does. 1704 */ 1705 1706 /** 1707 * smack_file_alloc_security - assign a file security blob 1708 * @file: the object 1709 * 1710 * The security blob for a file is a pointer to the master 1711 * label list, so no allocation is done. 1712 * 1713 * f_security is the owner security information. It 1714 * isn't used on file access checks, it's for send_sigio. 1715 * 1716 * Returns 0 1717 */ 1718 static int smack_file_alloc_security(struct file *file) 1719 { 1720 struct smack_known **blob = smack_file(file); 1721 1722 *blob = smk_of_current(); 1723 return 0; 1724 } 1725 1726 /** 1727 * smack_file_ioctl - Smack check on ioctls 1728 * @file: the object 1729 * @cmd: what to do 1730 * @arg: unused 1731 * 1732 * Relies heavily on the correct use of the ioctl command conventions. 1733 * 1734 * Returns 0 if allowed, error code otherwise 1735 */ 1736 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1737 unsigned long arg) 1738 { 1739 int rc = 0; 1740 struct smk_audit_info ad; 1741 struct inode *inode = file_inode(file); 1742 1743 if (unlikely(IS_PRIVATE(inode))) 1744 return 0; 1745 1746 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1747 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1748 1749 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1750 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1751 rc = smk_bu_file(file, MAY_WRITE, rc); 1752 } 1753 1754 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1755 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1756 rc = smk_bu_file(file, MAY_READ, rc); 1757 } 1758 1759 return rc; 1760 } 1761 1762 /** 1763 * smack_file_lock - Smack check on file locking 1764 * @file: the object 1765 * @cmd: unused 1766 * 1767 * Returns 0 if current has lock access, error code otherwise 1768 */ 1769 static int smack_file_lock(struct file *file, unsigned int cmd) 1770 { 1771 struct smk_audit_info ad; 1772 int rc; 1773 struct inode *inode = file_inode(file); 1774 1775 if (unlikely(IS_PRIVATE(inode))) 1776 return 0; 1777 1778 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1779 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1780 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1781 rc = smk_bu_file(file, MAY_LOCK, rc); 1782 return rc; 1783 } 1784 1785 /** 1786 * smack_file_fcntl - Smack check on fcntl 1787 * @file: the object 1788 * @cmd: what action to check 1789 * @arg: unused 1790 * 1791 * Generally these operations are harmless. 1792 * File locking operations present an obvious mechanism 1793 * for passing information, so they require write access. 1794 * 1795 * Returns 0 if current has access, error code otherwise 1796 */ 1797 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1798 unsigned long arg) 1799 { 1800 struct smk_audit_info ad; 1801 int rc = 0; 1802 struct inode *inode = file_inode(file); 1803 1804 if (unlikely(IS_PRIVATE(inode))) 1805 return 0; 1806 1807 switch (cmd) { 1808 case F_GETLK: 1809 break; 1810 case F_SETLK: 1811 case F_SETLKW: 1812 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1813 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1814 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1815 rc = smk_bu_file(file, MAY_LOCK, rc); 1816 break; 1817 case F_SETOWN: 1818 case F_SETSIG: 1819 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1820 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1821 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1822 rc = smk_bu_file(file, MAY_WRITE, rc); 1823 break; 1824 default: 1825 break; 1826 } 1827 1828 return rc; 1829 } 1830 1831 /** 1832 * smack_mmap_file - Check permissions for a mmap operation. 1833 * @file: contains the file structure for file to map (may be NULL). 1834 * @reqprot: contains the protection requested by the application. 1835 * @prot: contains the protection that will be applied by the kernel. 1836 * @flags: contains the operational flags. 1837 * 1838 * The @file may be NULL, e.g. if mapping anonymous memory. 1839 * 1840 * Return 0 if permission is granted. 1841 */ 1842 static int smack_mmap_file(struct file *file, 1843 unsigned long reqprot, unsigned long prot, 1844 unsigned long flags) 1845 { 1846 struct smack_known *skp; 1847 struct smack_known *mkp; 1848 struct smack_rule *srp; 1849 struct task_smack *tsp; 1850 struct smack_known *okp; 1851 struct inode_smack *isp; 1852 struct superblock_smack *sbsp; 1853 int may; 1854 int mmay; 1855 int tmay; 1856 int rc; 1857 1858 if (file == NULL) 1859 return 0; 1860 1861 if (unlikely(IS_PRIVATE(file_inode(file)))) 1862 return 0; 1863 1864 isp = smack_inode(file_inode(file)); 1865 if (isp->smk_mmap == NULL) 1866 return 0; 1867 sbsp = smack_superblock(file_inode(file)->i_sb); 1868 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1869 isp->smk_mmap != sbsp->smk_root) 1870 return -EACCES; 1871 mkp = isp->smk_mmap; 1872 1873 tsp = smack_cred(current_cred()); 1874 skp = smk_of_current(); 1875 rc = 0; 1876 1877 rcu_read_lock(); 1878 /* 1879 * For each Smack rule associated with the subject 1880 * label verify that the SMACK64MMAP also has access 1881 * to that rule's object label. 1882 */ 1883 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1884 okp = srp->smk_object; 1885 /* 1886 * Matching labels always allows access. 1887 */ 1888 if (mkp->smk_known == okp->smk_known) 1889 continue; 1890 /* 1891 * If there is a matching local rule take 1892 * that into account as well. 1893 */ 1894 may = smk_access_entry(srp->smk_subject->smk_known, 1895 okp->smk_known, 1896 &tsp->smk_rules); 1897 if (may == -ENOENT) 1898 may = srp->smk_access; 1899 else 1900 may &= srp->smk_access; 1901 /* 1902 * If may is zero the SMACK64MMAP subject can't 1903 * possibly have less access. 1904 */ 1905 if (may == 0) 1906 continue; 1907 1908 /* 1909 * Fetch the global list entry. 1910 * If there isn't one a SMACK64MMAP subject 1911 * can't have as much access as current. 1912 */ 1913 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1914 &mkp->smk_rules); 1915 if (mmay == -ENOENT) { 1916 rc = -EACCES; 1917 break; 1918 } 1919 /* 1920 * If there is a local entry it modifies the 1921 * potential access, too. 1922 */ 1923 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1924 &tsp->smk_rules); 1925 if (tmay != -ENOENT) 1926 mmay &= tmay; 1927 1928 /* 1929 * If there is any access available to current that is 1930 * not available to a SMACK64MMAP subject 1931 * deny access. 1932 */ 1933 if ((may | mmay) != mmay) { 1934 rc = -EACCES; 1935 break; 1936 } 1937 } 1938 1939 rcu_read_unlock(); 1940 1941 return rc; 1942 } 1943 1944 /** 1945 * smack_file_set_fowner - set the file security blob value 1946 * @file: object in question 1947 * 1948 */ 1949 static void smack_file_set_fowner(struct file *file) 1950 { 1951 struct smack_known **blob = smack_file(file); 1952 1953 *blob = smk_of_current(); 1954 } 1955 1956 /** 1957 * smack_file_send_sigiotask - Smack on sigio 1958 * @tsk: The target task 1959 * @fown: the object the signal come from 1960 * @signum: unused 1961 * 1962 * Allow a privileged task to get signals even if it shouldn't 1963 * 1964 * Returns 0 if a subject with the object's smack could 1965 * write to the task, an error code otherwise. 1966 */ 1967 static int smack_file_send_sigiotask(struct task_struct *tsk, 1968 struct fown_struct *fown, int signum) 1969 { 1970 struct smack_known **blob; 1971 struct smack_known *skp; 1972 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1973 const struct cred *tcred; 1974 struct file *file; 1975 int rc; 1976 struct smk_audit_info ad; 1977 1978 /* 1979 * struct fown_struct is never outside the context of a struct file 1980 */ 1981 file = fown->file; 1982 1983 /* we don't log here as rc can be overridden */ 1984 blob = smack_file(file); 1985 skp = *blob; 1986 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1987 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1988 1989 rcu_read_lock(); 1990 tcred = __task_cred(tsk); 1991 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1992 rc = 0; 1993 rcu_read_unlock(); 1994 1995 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1996 smk_ad_setfield_u_tsk(&ad, tsk); 1997 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1998 return rc; 1999 } 2000 2001 /** 2002 * smack_file_receive - Smack file receive check 2003 * @file: the object 2004 * 2005 * Returns 0 if current has access, error code otherwise 2006 */ 2007 static int smack_file_receive(struct file *file) 2008 { 2009 int rc; 2010 int may = 0; 2011 struct smk_audit_info ad; 2012 struct inode *inode = file_inode(file); 2013 struct socket *sock; 2014 struct task_smack *tsp; 2015 struct socket_smack *ssp; 2016 2017 if (unlikely(IS_PRIVATE(inode))) 2018 return 0; 2019 2020 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2021 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2022 2023 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 2024 sock = SOCKET_I(inode); 2025 ssp = smack_sock(sock->sk); 2026 tsp = smack_cred(current_cred()); 2027 /* 2028 * If the receiving process can't write to the 2029 * passed socket or if the passed socket can't 2030 * write to the receiving process don't accept 2031 * the passed socket. 2032 */ 2033 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 2034 rc = smk_bu_file(file, may, rc); 2035 if (rc < 0) 2036 return rc; 2037 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 2038 rc = smk_bu_file(file, may, rc); 2039 return rc; 2040 } 2041 /* 2042 * This code relies on bitmasks. 2043 */ 2044 if (file->f_mode & FMODE_READ) 2045 may = MAY_READ; 2046 if (file->f_mode & FMODE_WRITE) 2047 may |= MAY_WRITE; 2048 2049 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2050 rc = smk_bu_file(file, may, rc); 2051 return rc; 2052 } 2053 2054 /** 2055 * smack_file_open - Smack dentry open processing 2056 * @file: the object 2057 * 2058 * Set the security blob in the file structure. 2059 * Allow the open only if the task has read access. There are 2060 * many read operations (e.g. fstat) that you can do with an 2061 * fd even if you have the file open write-only. 2062 * 2063 * Returns 0 if current has access, error code otherwise 2064 */ 2065 static int smack_file_open(struct file *file) 2066 { 2067 struct task_smack *tsp = smack_cred(file->f_cred); 2068 struct inode *inode = file_inode(file); 2069 struct smk_audit_info ad; 2070 int rc; 2071 2072 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2073 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2074 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2075 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2076 2077 return rc; 2078 } 2079 2080 /* 2081 * Task hooks 2082 */ 2083 2084 /** 2085 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2086 * @cred: the new credentials 2087 * @gfp: the atomicity of any memory allocations 2088 * 2089 * Prepare a blank set of credentials for modification. This must allocate all 2090 * the memory the LSM module might require such that cred_transfer() can 2091 * complete without error. 2092 */ 2093 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2094 { 2095 init_task_smack(smack_cred(cred), NULL, NULL); 2096 return 0; 2097 } 2098 2099 2100 /** 2101 * smack_cred_free - "free" task-level security credentials 2102 * @cred: the credentials in question 2103 * 2104 */ 2105 static void smack_cred_free(struct cred *cred) 2106 { 2107 struct task_smack *tsp = smack_cred(cred); 2108 struct smack_rule *rp; 2109 struct list_head *l; 2110 struct list_head *n; 2111 2112 smk_destroy_label_list(&tsp->smk_relabel); 2113 2114 list_for_each_safe(l, n, &tsp->smk_rules) { 2115 rp = list_entry(l, struct smack_rule, list); 2116 list_del(&rp->list); 2117 kmem_cache_free(smack_rule_cache, rp); 2118 } 2119 } 2120 2121 /** 2122 * smack_cred_prepare - prepare new set of credentials for modification 2123 * @new: the new credentials 2124 * @old: the original credentials 2125 * @gfp: the atomicity of any memory allocations 2126 * 2127 * Prepare a new set of credentials for modification. 2128 */ 2129 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2130 gfp_t gfp) 2131 { 2132 struct task_smack *old_tsp = smack_cred(old); 2133 struct task_smack *new_tsp = smack_cred(new); 2134 int rc; 2135 2136 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2137 2138 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2139 if (rc != 0) 2140 return rc; 2141 2142 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2143 gfp); 2144 return rc; 2145 } 2146 2147 /** 2148 * smack_cred_transfer - Transfer the old credentials to the new credentials 2149 * @new: the new credentials 2150 * @old: the original credentials 2151 * 2152 * Fill in a set of blank credentials from another set of credentials. 2153 */ 2154 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2155 { 2156 struct task_smack *old_tsp = smack_cred(old); 2157 struct task_smack *new_tsp = smack_cred(new); 2158 2159 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2160 } 2161 2162 /** 2163 * smack_cred_getsecid - get the secid corresponding to a creds structure 2164 * @cred: the object creds 2165 * @secid: where to put the result 2166 * 2167 * Sets the secid to contain a u32 version of the smack label. 2168 */ 2169 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2170 { 2171 struct smack_known *skp; 2172 2173 rcu_read_lock(); 2174 skp = smk_of_task(smack_cred(cred)); 2175 *secid = skp->smk_secid; 2176 rcu_read_unlock(); 2177 } 2178 2179 /** 2180 * smack_cred_getlsmprop - get the Smack label for a creds structure 2181 * @cred: the object creds 2182 * @prop: where to put the data 2183 * 2184 * Sets the Smack part of the ref 2185 */ 2186 static void smack_cred_getlsmprop(const struct cred *cred, 2187 struct lsm_prop *prop) 2188 { 2189 rcu_read_lock(); 2190 prop->smack.skp = smk_of_task(smack_cred(cred)); 2191 rcu_read_unlock(); 2192 } 2193 2194 /** 2195 * smack_kernel_act_as - Set the subjective context in a set of credentials 2196 * @new: points to the set of credentials to be modified. 2197 * @secid: specifies the security ID to be set 2198 * 2199 * Set the security data for a kernel service. 2200 */ 2201 static int smack_kernel_act_as(struct cred *new, u32 secid) 2202 { 2203 struct task_smack *new_tsp = smack_cred(new); 2204 2205 new_tsp->smk_task = smack_from_secid(secid); 2206 return 0; 2207 } 2208 2209 /** 2210 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2211 * @new: points to the set of credentials to be modified 2212 * @inode: points to the inode to use as a reference 2213 * 2214 * Set the file creation context in a set of credentials to the same 2215 * as the objective context of the specified inode 2216 */ 2217 static int smack_kernel_create_files_as(struct cred *new, 2218 struct inode *inode) 2219 { 2220 struct inode_smack *isp = smack_inode(inode); 2221 struct task_smack *tsp = smack_cred(new); 2222 2223 tsp->smk_forked = isp->smk_inode; 2224 tsp->smk_task = tsp->smk_forked; 2225 return 0; 2226 } 2227 2228 /** 2229 * smk_curacc_on_task - helper to log task related access 2230 * @p: the task object 2231 * @access: the access requested 2232 * @caller: name of the calling function for audit 2233 * 2234 * Return 0 if access is permitted 2235 */ 2236 static int smk_curacc_on_task(struct task_struct *p, int access, 2237 const char *caller) 2238 { 2239 struct smk_audit_info ad; 2240 struct smack_known *skp = smk_of_task_struct_obj(p); 2241 int rc; 2242 2243 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2244 smk_ad_setfield_u_tsk(&ad, p); 2245 rc = smk_curacc(skp, access, &ad); 2246 rc = smk_bu_task(p, access, rc); 2247 return rc; 2248 } 2249 2250 /** 2251 * smack_task_setpgid - Smack check on setting pgid 2252 * @p: the task object 2253 * @pgid: unused 2254 * 2255 * Return 0 if write access is permitted 2256 */ 2257 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2258 { 2259 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2260 } 2261 2262 /** 2263 * smack_task_getpgid - Smack access check for getpgid 2264 * @p: the object task 2265 * 2266 * Returns 0 if current can read the object task, error code otherwise 2267 */ 2268 static int smack_task_getpgid(struct task_struct *p) 2269 { 2270 return smk_curacc_on_task(p, MAY_READ, __func__); 2271 } 2272 2273 /** 2274 * smack_task_getsid - Smack access check for getsid 2275 * @p: the object task 2276 * 2277 * Returns 0 if current can read the object task, error code otherwise 2278 */ 2279 static int smack_task_getsid(struct task_struct *p) 2280 { 2281 return smk_curacc_on_task(p, MAY_READ, __func__); 2282 } 2283 2284 /** 2285 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2286 * @prop: where to put the result 2287 * 2288 * Sets the secid to contain a u32 version of the task's subjective smack label. 2289 */ 2290 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2291 { 2292 prop->smack.skp = smk_of_current(); 2293 } 2294 2295 /** 2296 * smack_task_getlsmprop_obj - get the objective data of the task 2297 * @p: the task 2298 * @prop: where to put the result 2299 * 2300 * Sets the secid to contain a u32 version of the task's objective smack label. 2301 */ 2302 static void smack_task_getlsmprop_obj(struct task_struct *p, 2303 struct lsm_prop *prop) 2304 { 2305 prop->smack.skp = smk_of_task_struct_obj(p); 2306 } 2307 2308 /** 2309 * smack_task_setnice - Smack check on setting nice 2310 * @p: the task object 2311 * @nice: unused 2312 * 2313 * Return 0 if write access is permitted 2314 */ 2315 static int smack_task_setnice(struct task_struct *p, int nice) 2316 { 2317 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2318 } 2319 2320 /** 2321 * smack_task_setioprio - Smack check on setting ioprio 2322 * @p: the task object 2323 * @ioprio: unused 2324 * 2325 * Return 0 if write access is permitted 2326 */ 2327 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2328 { 2329 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2330 } 2331 2332 /** 2333 * smack_task_getioprio - Smack check on reading ioprio 2334 * @p: the task object 2335 * 2336 * Return 0 if read access is permitted 2337 */ 2338 static int smack_task_getioprio(struct task_struct *p) 2339 { 2340 return smk_curacc_on_task(p, MAY_READ, __func__); 2341 } 2342 2343 /** 2344 * smack_task_setscheduler - Smack check on setting scheduler 2345 * @p: the task object 2346 * 2347 * Return 0 if read access is permitted 2348 */ 2349 static int smack_task_setscheduler(struct task_struct *p) 2350 { 2351 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2352 } 2353 2354 /** 2355 * smack_task_getscheduler - Smack check on reading scheduler 2356 * @p: the task object 2357 * 2358 * Return 0 if read access is permitted 2359 */ 2360 static int smack_task_getscheduler(struct task_struct *p) 2361 { 2362 return smk_curacc_on_task(p, MAY_READ, __func__); 2363 } 2364 2365 /** 2366 * smack_task_movememory - Smack check on moving memory 2367 * @p: the task object 2368 * 2369 * Return 0 if write access is permitted 2370 */ 2371 static int smack_task_movememory(struct task_struct *p) 2372 { 2373 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2374 } 2375 2376 /** 2377 * smack_task_kill - Smack check on signal delivery 2378 * @p: the task object 2379 * @info: unused 2380 * @sig: unused 2381 * @cred: identifies the cred to use in lieu of current's 2382 * 2383 * Return 0 if write access is permitted 2384 * 2385 */ 2386 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2387 int sig, const struct cred *cred) 2388 { 2389 struct smk_audit_info ad; 2390 struct smack_known *skp; 2391 struct smack_known *tkp = smk_of_task_struct_obj(p); 2392 int rc; 2393 2394 if (!sig) 2395 return 0; /* null signal; existence test */ 2396 2397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2398 smk_ad_setfield_u_tsk(&ad, p); 2399 /* 2400 * Sending a signal requires that the sender 2401 * can write the receiver. 2402 */ 2403 if (cred == NULL) { 2404 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2405 rc = smk_bu_task(p, MAY_DELIVER, rc); 2406 return rc; 2407 } 2408 /* 2409 * If the cred isn't NULL we're dealing with some USB IO 2410 * specific behavior. This is not clean. For one thing 2411 * we can't take privilege into account. 2412 */ 2413 skp = smk_of_task(smack_cred(cred)); 2414 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2415 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2416 return rc; 2417 } 2418 2419 /** 2420 * smack_task_to_inode - copy task smack into the inode blob 2421 * @p: task to copy from 2422 * @inode: inode to copy to 2423 * 2424 * Sets the smack pointer in the inode security blob 2425 */ 2426 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2427 { 2428 struct inode_smack *isp = smack_inode(inode); 2429 struct smack_known *skp = smk_of_task_struct_obj(p); 2430 2431 isp->smk_inode = skp; 2432 isp->smk_flags |= SMK_INODE_INSTANT; 2433 } 2434 2435 /* 2436 * Socket hooks. 2437 */ 2438 2439 /** 2440 * smack_sk_alloc_security - Allocate a socket blob 2441 * @sk: the socket 2442 * @family: unused 2443 * @gfp_flags: memory allocation flags 2444 * 2445 * Assign Smack pointers to current 2446 * 2447 * Returns 0 on success, -ENOMEM is there's no memory 2448 */ 2449 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2450 { 2451 struct smack_known *skp = smk_of_current(); 2452 struct socket_smack *ssp = smack_sock(sk); 2453 2454 /* 2455 * Sockets created by kernel threads receive web label. 2456 */ 2457 if (unlikely(current->flags & PF_KTHREAD)) { 2458 ssp->smk_in = &smack_known_web; 2459 ssp->smk_out = &smack_known_web; 2460 } else { 2461 ssp->smk_in = skp; 2462 ssp->smk_out = skp; 2463 } 2464 ssp->smk_packet = NULL; 2465 2466 return 0; 2467 } 2468 2469 #ifdef SMACK_IPV6_PORT_LABELING 2470 /** 2471 * smack_sk_free_security - Free a socket blob 2472 * @sk: the socket 2473 * 2474 * Clears the blob pointer 2475 */ 2476 static void smack_sk_free_security(struct sock *sk) 2477 { 2478 struct smk_port_label *spp; 2479 2480 if (sk->sk_family == PF_INET6) { 2481 rcu_read_lock(); 2482 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2483 if (spp->smk_sock != sk) 2484 continue; 2485 spp->smk_can_reuse = 1; 2486 break; 2487 } 2488 rcu_read_unlock(); 2489 } 2490 } 2491 #endif 2492 2493 /** 2494 * smack_sk_clone_security - Copy security context 2495 * @sk: the old socket 2496 * @newsk: the new socket 2497 * 2498 * Copy the security context of the old socket pointer to the cloned 2499 */ 2500 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2501 { 2502 struct socket_smack *ssp_old = smack_sock(sk); 2503 struct socket_smack *ssp_new = smack_sock(newsk); 2504 2505 *ssp_new = *ssp_old; 2506 } 2507 2508 /** 2509 * smack_ipv4host_label - check host based restrictions 2510 * @sip: the object end 2511 * 2512 * looks for host based access restrictions 2513 * 2514 * This version will only be appropriate for really small sets of single label 2515 * hosts. The caller is responsible for ensuring that the RCU read lock is 2516 * taken before calling this function. 2517 * 2518 * Returns the label of the far end or NULL if it's not special. 2519 */ 2520 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2521 { 2522 struct smk_net4addr *snp; 2523 struct in_addr *siap = &sip->sin_addr; 2524 2525 if (siap->s_addr == 0) 2526 return NULL; 2527 2528 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2529 /* 2530 * we break after finding the first match because 2531 * the list is sorted from longest to shortest mask 2532 * so we have found the most specific match 2533 */ 2534 if (snp->smk_host.s_addr == 2535 (siap->s_addr & snp->smk_mask.s_addr)) 2536 return snp->smk_label; 2537 2538 return NULL; 2539 } 2540 2541 #if IS_ENABLED(CONFIG_IPV6) 2542 /* 2543 * smk_ipv6_localhost - Check for local ipv6 host address 2544 * @sip: the address 2545 * 2546 * Returns boolean true if this is the localhost address 2547 */ 2548 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2549 { 2550 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2551 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2552 2553 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2554 ntohs(be16p[7]) == 1) 2555 return true; 2556 return false; 2557 } 2558 2559 /** 2560 * smack_ipv6host_label - check host based restrictions 2561 * @sip: the object end 2562 * 2563 * looks for host based access restrictions 2564 * 2565 * This version will only be appropriate for really small sets of single label 2566 * hosts. The caller is responsible for ensuring that the RCU read lock is 2567 * taken before calling this function. 2568 * 2569 * Returns the label of the far end or NULL if it's not special. 2570 */ 2571 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2572 { 2573 struct smk_net6addr *snp; 2574 struct in6_addr *sap = &sip->sin6_addr; 2575 int i; 2576 int found = 0; 2577 2578 /* 2579 * It's local. Don't look for a host label. 2580 */ 2581 if (smk_ipv6_localhost(sip)) 2582 return NULL; 2583 2584 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2585 /* 2586 * If the label is NULL the entry has 2587 * been renounced. Ignore it. 2588 */ 2589 if (snp->smk_label == NULL) 2590 continue; 2591 /* 2592 * we break after finding the first match because 2593 * the list is sorted from longest to shortest mask 2594 * so we have found the most specific match 2595 */ 2596 for (found = 1, i = 0; i < 8; i++) { 2597 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2598 snp->smk_host.s6_addr16[i]) { 2599 found = 0; 2600 break; 2601 } 2602 } 2603 if (found) 2604 return snp->smk_label; 2605 } 2606 2607 return NULL; 2608 } 2609 #endif /* CONFIG_IPV6 */ 2610 2611 /** 2612 * smack_netlbl_add - Set the secattr on a socket 2613 * @sk: the socket 2614 * 2615 * Attach the outbound smack value (smk_out) to the socket. 2616 * 2617 * Returns 0 on success or an error code 2618 */ 2619 static int smack_netlbl_add(struct sock *sk) 2620 { 2621 struct socket_smack *ssp = smack_sock(sk); 2622 struct smack_known *skp = ssp->smk_out; 2623 int rc; 2624 2625 local_bh_disable(); 2626 bh_lock_sock_nested(sk); 2627 2628 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2629 netlbl_sk_lock_check(sk)); 2630 switch (rc) { 2631 case 0: 2632 ssp->smk_state = SMK_NETLBL_LABELED; 2633 break; 2634 case -EDESTADDRREQ: 2635 ssp->smk_state = SMK_NETLBL_REQSKB; 2636 rc = 0; 2637 break; 2638 } 2639 2640 bh_unlock_sock(sk); 2641 local_bh_enable(); 2642 2643 return rc; 2644 } 2645 2646 /** 2647 * smack_netlbl_delete - Remove the secattr from a socket 2648 * @sk: the socket 2649 * 2650 * Remove the outbound smack value from a socket 2651 */ 2652 static void smack_netlbl_delete(struct sock *sk) 2653 { 2654 struct socket_smack *ssp = smack_sock(sk); 2655 2656 /* 2657 * Take the label off the socket if one is set. 2658 */ 2659 if (ssp->smk_state != SMK_NETLBL_LABELED) 2660 return; 2661 2662 local_bh_disable(); 2663 bh_lock_sock_nested(sk); 2664 netlbl_sock_delattr(sk); 2665 bh_unlock_sock(sk); 2666 local_bh_enable(); 2667 ssp->smk_state = SMK_NETLBL_UNLABELED; 2668 } 2669 2670 /** 2671 * smk_ipv4_check - Perform IPv4 host access checks 2672 * @sk: the socket 2673 * @sap: the destination address 2674 * 2675 * Set the correct secattr for the given socket based on the destination 2676 * address and perform any outbound access checks needed. 2677 * 2678 * Returns 0 on success or an error code. 2679 * 2680 */ 2681 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2682 { 2683 struct smack_known *skp; 2684 int rc = 0; 2685 struct smack_known *hkp; 2686 struct socket_smack *ssp = smack_sock(sk); 2687 struct smk_audit_info ad; 2688 2689 rcu_read_lock(); 2690 hkp = smack_ipv4host_label(sap); 2691 if (hkp != NULL) { 2692 #ifdef CONFIG_AUDIT 2693 struct lsm_network_audit net; 2694 2695 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2696 ad.a.u.net->family = sap->sin_family; 2697 ad.a.u.net->dport = sap->sin_port; 2698 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2699 #endif 2700 skp = ssp->smk_out; 2701 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2702 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2703 /* 2704 * Clear the socket netlabel if it's set. 2705 */ 2706 if (!rc) 2707 smack_netlbl_delete(sk); 2708 } 2709 rcu_read_unlock(); 2710 2711 return rc; 2712 } 2713 2714 #if IS_ENABLED(CONFIG_IPV6) 2715 /** 2716 * smk_ipv6_check - check Smack access 2717 * @subject: subject Smack label 2718 * @object: object Smack label 2719 * @address: address 2720 * @act: the action being taken 2721 * 2722 * Check an IPv6 access 2723 */ 2724 static int smk_ipv6_check(struct smack_known *subject, 2725 struct smack_known *object, 2726 struct sockaddr_in6 *address, int act) 2727 { 2728 #ifdef CONFIG_AUDIT 2729 struct lsm_network_audit net; 2730 #endif 2731 struct smk_audit_info ad; 2732 int rc; 2733 2734 #ifdef CONFIG_AUDIT 2735 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2736 ad.a.u.net->family = PF_INET6; 2737 ad.a.u.net->dport = address->sin6_port; 2738 if (act == SMK_RECEIVING) 2739 ad.a.u.net->v6info.saddr = address->sin6_addr; 2740 else 2741 ad.a.u.net->v6info.daddr = address->sin6_addr; 2742 #endif 2743 rc = smk_access(subject, object, MAY_WRITE, &ad); 2744 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2745 return rc; 2746 } 2747 #endif /* CONFIG_IPV6 */ 2748 2749 #ifdef SMACK_IPV6_PORT_LABELING 2750 /** 2751 * smk_ipv6_port_label - Smack port access table management 2752 * @sock: socket 2753 * @address: address 2754 * 2755 * Create or update the port list entry 2756 */ 2757 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2758 { 2759 struct sock *sk = sock->sk; 2760 struct sockaddr_in6 *addr6; 2761 struct socket_smack *ssp = smack_sock(sock->sk); 2762 struct smk_port_label *spp; 2763 unsigned short port = 0; 2764 2765 if (address == NULL) { 2766 /* 2767 * This operation is changing the Smack information 2768 * on the bound socket. Take the changes to the port 2769 * as well. 2770 */ 2771 rcu_read_lock(); 2772 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2773 if (sk != spp->smk_sock) 2774 continue; 2775 spp->smk_in = ssp->smk_in; 2776 spp->smk_out = ssp->smk_out; 2777 rcu_read_unlock(); 2778 return; 2779 } 2780 /* 2781 * A NULL address is only used for updating existing 2782 * bound entries. If there isn't one, it's OK. 2783 */ 2784 rcu_read_unlock(); 2785 return; 2786 } 2787 2788 addr6 = (struct sockaddr_in6 *)address; 2789 port = ntohs(addr6->sin6_port); 2790 /* 2791 * This is a special case that is safely ignored. 2792 */ 2793 if (port == 0) 2794 return; 2795 2796 /* 2797 * Look for an existing port list entry. 2798 * This is an indication that a port is getting reused. 2799 */ 2800 rcu_read_lock(); 2801 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2802 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2803 continue; 2804 if (spp->smk_can_reuse != 1) { 2805 rcu_read_unlock(); 2806 return; 2807 } 2808 spp->smk_port = port; 2809 spp->smk_sock = sk; 2810 spp->smk_in = ssp->smk_in; 2811 spp->smk_out = ssp->smk_out; 2812 spp->smk_can_reuse = 0; 2813 rcu_read_unlock(); 2814 return; 2815 } 2816 rcu_read_unlock(); 2817 /* 2818 * A new port entry is required. 2819 */ 2820 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2821 if (spp == NULL) 2822 return; 2823 2824 spp->smk_port = port; 2825 spp->smk_sock = sk; 2826 spp->smk_in = ssp->smk_in; 2827 spp->smk_out = ssp->smk_out; 2828 spp->smk_sock_type = sock->type; 2829 spp->smk_can_reuse = 0; 2830 2831 mutex_lock(&smack_ipv6_lock); 2832 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2833 mutex_unlock(&smack_ipv6_lock); 2834 return; 2835 } 2836 2837 /** 2838 * smk_ipv6_port_check - check Smack port access 2839 * @sk: socket 2840 * @address: address 2841 * @act: the action being taken 2842 * 2843 * Create or update the port list entry 2844 */ 2845 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2846 int act) 2847 { 2848 struct smk_port_label *spp; 2849 struct socket_smack *ssp = smack_sock(sk); 2850 struct smack_known *skp = NULL; 2851 unsigned short port; 2852 struct smack_known *object; 2853 2854 if (act == SMK_RECEIVING) { 2855 skp = smack_ipv6host_label(address); 2856 object = ssp->smk_in; 2857 } else { 2858 skp = ssp->smk_out; 2859 object = smack_ipv6host_label(address); 2860 } 2861 2862 /* 2863 * The other end is a single label host. 2864 */ 2865 if (skp != NULL && object != NULL) 2866 return smk_ipv6_check(skp, object, address, act); 2867 if (skp == NULL) 2868 skp = smack_net_ambient; 2869 if (object == NULL) 2870 object = smack_net_ambient; 2871 2872 /* 2873 * It's remote, so port lookup does no good. 2874 */ 2875 if (!smk_ipv6_localhost(address)) 2876 return smk_ipv6_check(skp, object, address, act); 2877 2878 /* 2879 * It's local so the send check has to have passed. 2880 */ 2881 if (act == SMK_RECEIVING) 2882 return 0; 2883 2884 port = ntohs(address->sin6_port); 2885 rcu_read_lock(); 2886 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2887 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2888 continue; 2889 object = spp->smk_in; 2890 if (act == SMK_CONNECTING) 2891 ssp->smk_packet = spp->smk_out; 2892 break; 2893 } 2894 rcu_read_unlock(); 2895 2896 return smk_ipv6_check(skp, object, address, act); 2897 } 2898 #endif 2899 2900 /** 2901 * smack_inode_setsecurity - set smack xattrs 2902 * @inode: the object 2903 * @name: attribute name 2904 * @value: attribute value 2905 * @size: size of the attribute 2906 * @flags: unused 2907 * 2908 * Sets the named attribute in the appropriate blob 2909 * 2910 * Returns 0 on success, or an error code 2911 */ 2912 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2913 const void *value, size_t size, int flags) 2914 { 2915 struct smack_known *skp; 2916 struct inode_smack *nsp = smack_inode(inode); 2917 struct socket_smack *ssp; 2918 struct socket *sock; 2919 int rc = 0; 2920 2921 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2922 return -EINVAL; 2923 2924 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2925 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2926 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2927 return -EINVAL; 2928 2929 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2930 return 0; 2931 } 2932 2933 skp = smk_import_entry(value, size); 2934 if (IS_ERR(skp)) 2935 return PTR_ERR(skp); 2936 2937 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2938 nsp->smk_inode = skp; 2939 nsp->smk_flags |= SMK_INODE_INSTANT; 2940 return 0; 2941 } 2942 /* 2943 * The rest of the Smack xattrs are only on sockets. 2944 */ 2945 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2946 return -EOPNOTSUPP; 2947 2948 sock = SOCKET_I(inode); 2949 if (sock == NULL || sock->sk == NULL) 2950 return -EOPNOTSUPP; 2951 2952 ssp = smack_sock(sock->sk); 2953 2954 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2955 ssp->smk_in = skp; 2956 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2957 ssp->smk_out = skp; 2958 if (sock->sk->sk_family == PF_INET) { 2959 rc = smack_netlbl_add(sock->sk); 2960 if (rc != 0) 2961 printk(KERN_WARNING 2962 "Smack: \"%s\" netlbl error %d.\n", 2963 __func__, -rc); 2964 } 2965 } else 2966 return -EOPNOTSUPP; 2967 2968 #ifdef SMACK_IPV6_PORT_LABELING 2969 if (sock->sk->sk_family == PF_INET6) 2970 smk_ipv6_port_label(sock, NULL); 2971 #endif 2972 2973 return 0; 2974 } 2975 2976 /** 2977 * smack_socket_post_create - finish socket setup 2978 * @sock: the socket 2979 * @family: protocol family 2980 * @type: unused 2981 * @protocol: unused 2982 * @kern: unused 2983 * 2984 * Sets the netlabel information on the socket 2985 * 2986 * Returns 0 on success, and error code otherwise 2987 */ 2988 static int smack_socket_post_create(struct socket *sock, int family, 2989 int type, int protocol, int kern) 2990 { 2991 struct socket_smack *ssp; 2992 2993 if (sock->sk == NULL) 2994 return 0; 2995 2996 /* 2997 * Sockets created by kernel threads receive web label. 2998 */ 2999 if (unlikely(current->flags & PF_KTHREAD)) { 3000 ssp = smack_sock(sock->sk); 3001 ssp->smk_in = &smack_known_web; 3002 ssp->smk_out = &smack_known_web; 3003 } 3004 3005 if (family != PF_INET) 3006 return 0; 3007 /* 3008 * Set the outbound netlbl. 3009 */ 3010 return smack_netlbl_add(sock->sk); 3011 } 3012 3013 /** 3014 * smack_socket_socketpair - create socket pair 3015 * @socka: one socket 3016 * @sockb: another socket 3017 * 3018 * Cross reference the peer labels for SO_PEERSEC 3019 * 3020 * Returns 0 3021 */ 3022 static int smack_socket_socketpair(struct socket *socka, 3023 struct socket *sockb) 3024 { 3025 struct socket_smack *asp = smack_sock(socka->sk); 3026 struct socket_smack *bsp = smack_sock(sockb->sk); 3027 3028 asp->smk_packet = bsp->smk_out; 3029 bsp->smk_packet = asp->smk_out; 3030 3031 return 0; 3032 } 3033 3034 #ifdef SMACK_IPV6_PORT_LABELING 3035 /** 3036 * smack_socket_bind - record port binding information. 3037 * @sock: the socket 3038 * @address: the port address 3039 * @addrlen: size of the address 3040 * 3041 * Records the label bound to a port. 3042 * 3043 * Returns 0 on success, and error code otherwise 3044 */ 3045 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3046 int addrlen) 3047 { 3048 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3049 if (addrlen < SIN6_LEN_RFC2133 || 3050 address->sa_family != AF_INET6) 3051 return -EINVAL; 3052 smk_ipv6_port_label(sock, address); 3053 } 3054 return 0; 3055 } 3056 #endif /* SMACK_IPV6_PORT_LABELING */ 3057 3058 /** 3059 * smack_socket_connect - connect access check 3060 * @sock: the socket 3061 * @sap: the other end 3062 * @addrlen: size of sap 3063 * 3064 * Verifies that a connection may be possible 3065 * 3066 * Returns 0 on success, and error code otherwise 3067 */ 3068 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3069 int addrlen) 3070 { 3071 int rc = 0; 3072 3073 if (sock->sk == NULL) 3074 return 0; 3075 if (sock->sk->sk_family != PF_INET && 3076 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3077 return 0; 3078 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3079 return 0; 3080 3081 #if IS_ENABLED(CONFIG_IPV6) 3082 if (sap->sa_family == AF_INET6) { 3083 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3084 struct smack_known *rsp = NULL; 3085 3086 if (addrlen < SIN6_LEN_RFC2133) 3087 return 0; 3088 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3089 rsp = smack_ipv6host_label(sip); 3090 if (rsp != NULL) { 3091 struct socket_smack *ssp = smack_sock(sock->sk); 3092 3093 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3094 SMK_CONNECTING); 3095 } 3096 #ifdef SMACK_IPV6_PORT_LABELING 3097 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3098 #endif 3099 3100 return rc; 3101 } 3102 #endif /* CONFIG_IPV6 */ 3103 3104 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3105 return 0; 3106 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3107 return rc; 3108 } 3109 3110 /** 3111 * smack_flags_to_may - convert S_ to MAY_ values 3112 * @flags: the S_ value 3113 * 3114 * Returns the equivalent MAY_ value 3115 */ 3116 static int smack_flags_to_may(int flags) 3117 { 3118 int may = 0; 3119 3120 if (flags & S_IRUGO) 3121 may |= MAY_READ; 3122 if (flags & S_IWUGO) 3123 may |= MAY_WRITE; 3124 if (flags & S_IXUGO) 3125 may |= MAY_EXEC; 3126 3127 return may; 3128 } 3129 3130 /** 3131 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3132 * @msg: the object 3133 * 3134 * Returns 0 3135 */ 3136 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3137 { 3138 struct smack_known **blob = smack_msg_msg(msg); 3139 3140 *blob = smk_of_current(); 3141 return 0; 3142 } 3143 3144 /** 3145 * smack_of_ipc - the smack pointer for the ipc 3146 * @isp: the object 3147 * 3148 * Returns a pointer to the smack value 3149 */ 3150 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3151 { 3152 struct smack_known **blob = smack_ipc(isp); 3153 3154 return *blob; 3155 } 3156 3157 /** 3158 * smack_ipc_alloc_security - Set the security blob for ipc 3159 * @isp: the object 3160 * 3161 * Returns 0 3162 */ 3163 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3164 { 3165 struct smack_known **blob = smack_ipc(isp); 3166 3167 *blob = smk_of_current(); 3168 return 0; 3169 } 3170 3171 /** 3172 * smk_curacc_shm : check if current has access on shm 3173 * @isp : the object 3174 * @access : access requested 3175 * 3176 * Returns 0 if current has the requested access, error code otherwise 3177 */ 3178 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3179 { 3180 struct smack_known *ssp = smack_of_ipc(isp); 3181 struct smk_audit_info ad; 3182 int rc; 3183 3184 #ifdef CONFIG_AUDIT 3185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3186 ad.a.u.ipc_id = isp->id; 3187 #endif 3188 rc = smk_curacc(ssp, access, &ad); 3189 rc = smk_bu_current("shm", ssp, access, rc); 3190 return rc; 3191 } 3192 3193 /** 3194 * smack_shm_associate - Smack access check for shm 3195 * @isp: the object 3196 * @shmflg: access requested 3197 * 3198 * Returns 0 if current has the requested access, error code otherwise 3199 */ 3200 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3201 { 3202 int may; 3203 3204 may = smack_flags_to_may(shmflg); 3205 return smk_curacc_shm(isp, may); 3206 } 3207 3208 /** 3209 * smack_shm_shmctl - Smack access check for shm 3210 * @isp: the object 3211 * @cmd: what it wants to do 3212 * 3213 * Returns 0 if current has the requested access, error code otherwise 3214 */ 3215 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3216 { 3217 int may; 3218 3219 switch (cmd) { 3220 case IPC_STAT: 3221 case SHM_STAT: 3222 case SHM_STAT_ANY: 3223 may = MAY_READ; 3224 break; 3225 case IPC_SET: 3226 case SHM_LOCK: 3227 case SHM_UNLOCK: 3228 case IPC_RMID: 3229 may = MAY_READWRITE; 3230 break; 3231 case IPC_INFO: 3232 case SHM_INFO: 3233 /* 3234 * System level information. 3235 */ 3236 return 0; 3237 default: 3238 return -EINVAL; 3239 } 3240 return smk_curacc_shm(isp, may); 3241 } 3242 3243 /** 3244 * smack_shm_shmat - Smack access for shmat 3245 * @isp: the object 3246 * @shmaddr: unused 3247 * @shmflg: access requested 3248 * 3249 * Returns 0 if current has the requested access, error code otherwise 3250 */ 3251 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3252 int shmflg) 3253 { 3254 int may; 3255 3256 may = smack_flags_to_may(shmflg); 3257 return smk_curacc_shm(isp, may); 3258 } 3259 3260 /** 3261 * smk_curacc_sem : check if current has access on sem 3262 * @isp : the object 3263 * @access : access requested 3264 * 3265 * Returns 0 if current has the requested access, error code otherwise 3266 */ 3267 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3268 { 3269 struct smack_known *ssp = smack_of_ipc(isp); 3270 struct smk_audit_info ad; 3271 int rc; 3272 3273 #ifdef CONFIG_AUDIT 3274 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3275 ad.a.u.ipc_id = isp->id; 3276 #endif 3277 rc = smk_curacc(ssp, access, &ad); 3278 rc = smk_bu_current("sem", ssp, access, rc); 3279 return rc; 3280 } 3281 3282 /** 3283 * smack_sem_associate - Smack access check for sem 3284 * @isp: the object 3285 * @semflg: access requested 3286 * 3287 * Returns 0 if current has the requested access, error code otherwise 3288 */ 3289 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3290 { 3291 int may; 3292 3293 may = smack_flags_to_may(semflg); 3294 return smk_curacc_sem(isp, may); 3295 } 3296 3297 /** 3298 * smack_sem_semctl - Smack access check for sem 3299 * @isp: the object 3300 * @cmd: what it wants to do 3301 * 3302 * Returns 0 if current has the requested access, error code otherwise 3303 */ 3304 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3305 { 3306 int may; 3307 3308 switch (cmd) { 3309 case GETPID: 3310 case GETNCNT: 3311 case GETZCNT: 3312 case GETVAL: 3313 case GETALL: 3314 case IPC_STAT: 3315 case SEM_STAT: 3316 case SEM_STAT_ANY: 3317 may = MAY_READ; 3318 break; 3319 case SETVAL: 3320 case SETALL: 3321 case IPC_RMID: 3322 case IPC_SET: 3323 may = MAY_READWRITE; 3324 break; 3325 case IPC_INFO: 3326 case SEM_INFO: 3327 /* 3328 * System level information 3329 */ 3330 return 0; 3331 default: 3332 return -EINVAL; 3333 } 3334 3335 return smk_curacc_sem(isp, may); 3336 } 3337 3338 /** 3339 * smack_sem_semop - Smack checks of semaphore operations 3340 * @isp: the object 3341 * @sops: unused 3342 * @nsops: unused 3343 * @alter: unused 3344 * 3345 * Treated as read and write in all cases. 3346 * 3347 * Returns 0 if access is allowed, error code otherwise 3348 */ 3349 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3350 unsigned nsops, int alter) 3351 { 3352 return smk_curacc_sem(isp, MAY_READWRITE); 3353 } 3354 3355 /** 3356 * smk_curacc_msq : helper to check if current has access on msq 3357 * @isp : the msq 3358 * @access : access requested 3359 * 3360 * return 0 if current has access, error otherwise 3361 */ 3362 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3363 { 3364 struct smack_known *msp = smack_of_ipc(isp); 3365 struct smk_audit_info ad; 3366 int rc; 3367 3368 #ifdef CONFIG_AUDIT 3369 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3370 ad.a.u.ipc_id = isp->id; 3371 #endif 3372 rc = smk_curacc(msp, access, &ad); 3373 rc = smk_bu_current("msq", msp, access, rc); 3374 return rc; 3375 } 3376 3377 /** 3378 * smack_msg_queue_associate - Smack access check for msg_queue 3379 * @isp: the object 3380 * @msqflg: access requested 3381 * 3382 * Returns 0 if current has the requested access, error code otherwise 3383 */ 3384 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3385 { 3386 int may; 3387 3388 may = smack_flags_to_may(msqflg); 3389 return smk_curacc_msq(isp, may); 3390 } 3391 3392 /** 3393 * smack_msg_queue_msgctl - Smack access check for msg_queue 3394 * @isp: the object 3395 * @cmd: what it wants to do 3396 * 3397 * Returns 0 if current has the requested access, error code otherwise 3398 */ 3399 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3400 { 3401 int may; 3402 3403 switch (cmd) { 3404 case IPC_STAT: 3405 case MSG_STAT: 3406 case MSG_STAT_ANY: 3407 may = MAY_READ; 3408 break; 3409 case IPC_SET: 3410 case IPC_RMID: 3411 may = MAY_READWRITE; 3412 break; 3413 case IPC_INFO: 3414 case MSG_INFO: 3415 /* 3416 * System level information 3417 */ 3418 return 0; 3419 default: 3420 return -EINVAL; 3421 } 3422 3423 return smk_curacc_msq(isp, may); 3424 } 3425 3426 /** 3427 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3428 * @isp: the object 3429 * @msg: unused 3430 * @msqflg: access requested 3431 * 3432 * Returns 0 if current has the requested access, error code otherwise 3433 */ 3434 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3435 int msqflg) 3436 { 3437 int may; 3438 3439 may = smack_flags_to_may(msqflg); 3440 return smk_curacc_msq(isp, may); 3441 } 3442 3443 /** 3444 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3445 * @isp: the object 3446 * @msg: unused 3447 * @target: unused 3448 * @type: unused 3449 * @mode: unused 3450 * 3451 * Returns 0 if current has read and write access, error code otherwise 3452 */ 3453 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3454 struct msg_msg *msg, 3455 struct task_struct *target, long type, 3456 int mode) 3457 { 3458 return smk_curacc_msq(isp, MAY_READWRITE); 3459 } 3460 3461 /** 3462 * smack_ipc_permission - Smack access for ipc_permission() 3463 * @ipp: the object permissions 3464 * @flag: access requested 3465 * 3466 * Returns 0 if current has read and write access, error code otherwise 3467 */ 3468 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3469 { 3470 struct smack_known **blob = smack_ipc(ipp); 3471 struct smack_known *iskp = *blob; 3472 int may = smack_flags_to_may(flag); 3473 struct smk_audit_info ad; 3474 int rc; 3475 3476 #ifdef CONFIG_AUDIT 3477 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3478 ad.a.u.ipc_id = ipp->id; 3479 #endif 3480 rc = smk_curacc(iskp, may, &ad); 3481 rc = smk_bu_current("svipc", iskp, may, rc); 3482 return rc; 3483 } 3484 3485 /** 3486 * smack_ipc_getlsmprop - Extract smack security data 3487 * @ipp: the object permissions 3488 * @prop: where result will be saved 3489 */ 3490 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3491 { 3492 struct smack_known **iskpp = smack_ipc(ipp); 3493 3494 prop->smack.skp = *iskpp; 3495 } 3496 3497 /** 3498 * smack_d_instantiate - Make sure the blob is correct on an inode 3499 * @opt_dentry: dentry where inode will be attached 3500 * @inode: the object 3501 * 3502 * Set the inode's security blob if it hasn't been done already. 3503 */ 3504 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3505 { 3506 struct super_block *sbp; 3507 struct superblock_smack *sbsp; 3508 struct inode_smack *isp; 3509 struct smack_known *skp; 3510 struct smack_known *ckp = smk_of_current(); 3511 struct smack_known *final; 3512 char trattr[TRANS_TRUE_SIZE]; 3513 int transflag = 0; 3514 int rc; 3515 struct dentry *dp; 3516 3517 if (inode == NULL) 3518 return; 3519 3520 isp = smack_inode(inode); 3521 3522 /* 3523 * If the inode is already instantiated 3524 * take the quick way out 3525 */ 3526 if (isp->smk_flags & SMK_INODE_INSTANT) 3527 return; 3528 3529 sbp = inode->i_sb; 3530 sbsp = smack_superblock(sbp); 3531 /* 3532 * We're going to use the superblock default label 3533 * if there's no label on the file. 3534 */ 3535 final = sbsp->smk_default; 3536 3537 /* 3538 * If this is the root inode the superblock 3539 * may be in the process of initialization. 3540 * If that is the case use the root value out 3541 * of the superblock. 3542 */ 3543 if (opt_dentry->d_parent == opt_dentry) { 3544 switch (sbp->s_magic) { 3545 case CGROUP_SUPER_MAGIC: 3546 case CGROUP2_SUPER_MAGIC: 3547 /* 3548 * The cgroup filesystem is never mounted, 3549 * so there's no opportunity to set the mount 3550 * options. 3551 */ 3552 sbsp->smk_root = &smack_known_star; 3553 sbsp->smk_default = &smack_known_star; 3554 isp->smk_inode = sbsp->smk_root; 3555 break; 3556 case TMPFS_MAGIC: 3557 /* 3558 * What about shmem/tmpfs anonymous files with dentry 3559 * obtained from d_alloc_pseudo()? 3560 */ 3561 isp->smk_inode = smk_of_current(); 3562 break; 3563 case PIPEFS_MAGIC: 3564 isp->smk_inode = smk_of_current(); 3565 break; 3566 case SOCKFS_MAGIC: 3567 /* 3568 * Socket access is controlled by the socket 3569 * structures associated with the task involved. 3570 */ 3571 isp->smk_inode = &smack_known_star; 3572 break; 3573 default: 3574 isp->smk_inode = sbsp->smk_root; 3575 break; 3576 } 3577 isp->smk_flags |= SMK_INODE_INSTANT; 3578 return; 3579 } 3580 3581 /* 3582 * This is pretty hackish. 3583 * Casey says that we shouldn't have to do 3584 * file system specific code, but it does help 3585 * with keeping it simple. 3586 */ 3587 switch (sbp->s_magic) { 3588 case SMACK_MAGIC: 3589 case CGROUP_SUPER_MAGIC: 3590 case CGROUP2_SUPER_MAGIC: 3591 /* 3592 * Casey says that it's a little embarrassing 3593 * that the smack file system doesn't do 3594 * extended attributes. 3595 * 3596 * Cgroupfs is special 3597 */ 3598 final = &smack_known_star; 3599 break; 3600 case DEVPTS_SUPER_MAGIC: 3601 /* 3602 * devpts seems content with the label of the task. 3603 * Programs that change smack have to treat the 3604 * pty with respect. 3605 */ 3606 final = ckp; 3607 break; 3608 case PROC_SUPER_MAGIC: 3609 /* 3610 * Casey says procfs appears not to care. 3611 * The superblock default suffices. 3612 */ 3613 break; 3614 case TMPFS_MAGIC: 3615 /* 3616 * Device labels should come from the filesystem, 3617 * but watch out, because they're volitile, 3618 * getting recreated on every reboot. 3619 */ 3620 final = &smack_known_star; 3621 /* 3622 * If a smack value has been set we want to use it, 3623 * but since tmpfs isn't giving us the opportunity 3624 * to set mount options simulate setting the 3625 * superblock default. 3626 */ 3627 fallthrough; 3628 default: 3629 /* 3630 * This isn't an understood special case. 3631 * Get the value from the xattr. 3632 */ 3633 3634 /* 3635 * UDS inode has fixed label (*) 3636 */ 3637 if (S_ISSOCK(inode->i_mode)) { 3638 final = &smack_known_star; 3639 break; 3640 } 3641 /* 3642 * No xattr support means, alas, no SMACK label. 3643 * Use the aforeapplied default. 3644 * It would be curious if the label of the task 3645 * does not match that assigned. 3646 */ 3647 if (!(inode->i_opflags & IOP_XATTR)) 3648 break; 3649 /* 3650 * Get the dentry for xattr. 3651 */ 3652 dp = dget(opt_dentry); 3653 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3654 if (!IS_ERR_OR_NULL(skp)) 3655 final = skp; 3656 3657 /* 3658 * Transmuting directory 3659 */ 3660 if (S_ISDIR(inode->i_mode)) { 3661 /* 3662 * If this is a new directory and the label was 3663 * transmuted when the inode was initialized 3664 * set the transmute attribute on the directory 3665 * and mark the inode. 3666 * 3667 * If there is a transmute attribute on the 3668 * directory mark the inode. 3669 */ 3670 rc = __vfs_getxattr(dp, inode, 3671 XATTR_NAME_SMACKTRANSMUTE, trattr, 3672 TRANS_TRUE_SIZE); 3673 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3674 TRANS_TRUE_SIZE) != 0) 3675 rc = -EINVAL; 3676 if (rc >= 0) 3677 transflag = SMK_INODE_TRANSMUTE; 3678 } 3679 /* 3680 * Don't let the exec or mmap label be "*" or "@". 3681 */ 3682 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3683 if (IS_ERR(skp) || skp == &smack_known_star || 3684 skp == &smack_known_web) 3685 skp = NULL; 3686 isp->smk_task = skp; 3687 3688 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3689 if (IS_ERR(skp) || skp == &smack_known_star || 3690 skp == &smack_known_web) 3691 skp = NULL; 3692 isp->smk_mmap = skp; 3693 3694 dput(dp); 3695 break; 3696 } 3697 3698 if (final == NULL) 3699 isp->smk_inode = ckp; 3700 else 3701 isp->smk_inode = final; 3702 3703 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3704 3705 return; 3706 } 3707 3708 /** 3709 * smack_getselfattr - Smack current process attribute 3710 * @attr: which attribute to fetch 3711 * @ctx: buffer to receive the result 3712 * @size: available size in, actual size out 3713 * @flags: reserved, currently zero 3714 * 3715 * Fill the passed user space @ctx with the details of the requested 3716 * attribute. 3717 * 3718 * Returns the number of attributes on success, an error code otherwise. 3719 * There will only ever be one attribute. 3720 */ 3721 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3722 u32 *size, u32 flags) 3723 { 3724 int rc; 3725 struct smack_known *skp; 3726 3727 if (attr != LSM_ATTR_CURRENT) 3728 return -EOPNOTSUPP; 3729 3730 skp = smk_of_current(); 3731 rc = lsm_fill_user_ctx(ctx, size, 3732 skp->smk_known, strlen(skp->smk_known) + 1, 3733 LSM_ID_SMACK, 0); 3734 return (!rc ? 1 : rc); 3735 } 3736 3737 /** 3738 * smack_getprocattr - Smack process attribute access 3739 * @p: the object task 3740 * @name: the name of the attribute in /proc/.../attr 3741 * @value: where to put the result 3742 * 3743 * Places a copy of the task Smack into value 3744 * 3745 * Returns the length of the smack label or an error code 3746 */ 3747 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3748 { 3749 struct smack_known *skp = smk_of_task_struct_obj(p); 3750 char *cp; 3751 int slen; 3752 3753 if (strcmp(name, "current") != 0) 3754 return -EINVAL; 3755 3756 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3757 if (cp == NULL) 3758 return -ENOMEM; 3759 3760 slen = strlen(cp); 3761 *value = cp; 3762 return slen; 3763 } 3764 3765 /** 3766 * do_setattr - Smack process attribute setting 3767 * @attr: the ID of the attribute 3768 * @value: the value to set 3769 * @size: the size of the value 3770 * 3771 * Sets the Smack value of the task. Only setting self 3772 * is permitted and only with privilege 3773 * 3774 * Returns zero on success or an error code 3775 */ 3776 static int do_setattr(unsigned int attr, void *value, size_t size) 3777 { 3778 struct task_smack *tsp = smack_cred(current_cred()); 3779 struct cred *new; 3780 struct smack_known *skp; 3781 int label_len; 3782 3783 /* 3784 * let unprivileged user validate input, check permissions later 3785 */ 3786 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3787 return -EINVAL; 3788 3789 label_len = smk_parse_label_len(value, size); 3790 if (label_len < 0 || label_len != size) 3791 return -EINVAL; 3792 3793 /* 3794 * No process is ever allowed the web ("@") label 3795 * and the star ("*") label. 3796 */ 3797 if (label_len == 1 /* '@', '*' */) { 3798 const char c = *(const char *)value; 3799 3800 if (c == *smack_known_web.smk_known || 3801 c == *smack_known_star.smk_known) 3802 return -EPERM; 3803 } 3804 3805 if (!smack_privileged(CAP_MAC_ADMIN)) { 3806 const struct smack_known_list_elem *sklep; 3807 list_for_each_entry(sklep, &tsp->smk_relabel, list) { 3808 const char *cp = sklep->smk_label->smk_known; 3809 3810 if (strlen(cp) == label_len && 3811 strncmp(cp, value, label_len) == 0) 3812 goto in_relabel; 3813 } 3814 return -EPERM; 3815 in_relabel: 3816 ; 3817 } 3818 3819 skp = smk_import_valid_label(value, label_len, GFP_KERNEL); 3820 if (IS_ERR(skp)) 3821 return PTR_ERR(skp); 3822 3823 new = prepare_creds(); 3824 if (new == NULL) 3825 return -ENOMEM; 3826 3827 tsp = smack_cred(new); 3828 tsp->smk_task = skp; 3829 /* 3830 * process can change its label only once 3831 */ 3832 smk_destroy_label_list(&tsp->smk_relabel); 3833 3834 commit_creds(new); 3835 return 0; 3836 } 3837 3838 /** 3839 * smack_setselfattr - Set a Smack process attribute 3840 * @attr: which attribute to set 3841 * @ctx: buffer containing the data 3842 * @size: size of @ctx 3843 * @flags: reserved, must be zero 3844 * 3845 * Fill the passed user space @ctx with the details of the requested 3846 * attribute. 3847 * 3848 * Returns 0 on success, an error code otherwise. 3849 */ 3850 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3851 u32 size, u32 flags) 3852 { 3853 if (attr != LSM_ATTR_CURRENT) 3854 return -EOPNOTSUPP; 3855 3856 if (ctx->flags) 3857 return -EINVAL; 3858 /* 3859 * string must have \0 terminator, included in ctx->ctx 3860 * (see description of struct lsm_ctx) 3861 */ 3862 if (ctx->ctx_len == 0) 3863 return -EINVAL; 3864 3865 if (ctx->ctx[ctx->ctx_len - 1] != '\0') 3866 return -EINVAL; 3867 /* 3868 * other do_setattr() caller, smack_setprocattr(), 3869 * does not count \0 into size, so 3870 * decreasing length by 1 to accommodate the divergence. 3871 */ 3872 return do_setattr(attr, ctx->ctx, ctx->ctx_len - 1); 3873 } 3874 3875 /** 3876 * smack_setprocattr - Smack process attribute setting 3877 * @name: the name of the attribute in /proc/.../attr 3878 * @value: the value to set 3879 * @size: the size of the value 3880 * 3881 * Sets the Smack value of the task. Only setting self 3882 * is permitted and only with privilege 3883 * 3884 * Returns the size of the input value or an error code 3885 */ 3886 static int smack_setprocattr(const char *name, void *value, size_t size) 3887 { 3888 size_t realsize = size; 3889 unsigned int attr = lsm_name_to_attr(name); 3890 3891 switch (attr) { 3892 case LSM_ATTR_UNDEF: return -EINVAL; 3893 default: return -EOPNOTSUPP; 3894 case LSM_ATTR_CURRENT: 3895 ; 3896 } 3897 3898 /* 3899 * The value for the "current" attribute is the label 3900 * followed by one of the 4 trailers: none, \0, \n, \n\0 3901 * 3902 * I.e. following inputs are accepted as 3-characters long label "foo": 3903 * 3904 * "foo" (3 characters) 3905 * "foo\0" (4 characters) 3906 * "foo\n" (4 characters) 3907 * "foo\n\0" (5 characters) 3908 */ 3909 3910 if (realsize && (((const char *)value)[realsize - 1] == '\0')) 3911 --realsize; 3912 3913 if (realsize && (((const char *)value)[realsize - 1] == '\n')) 3914 --realsize; 3915 3916 return do_setattr(attr, value, realsize) ? : size; 3917 } 3918 3919 /** 3920 * smack_unix_stream_connect - Smack access on UDS 3921 * @sock: one sock 3922 * @other: the other sock 3923 * @newsk: unused 3924 * 3925 * Return 0 if a subject with the smack of sock could access 3926 * an object with the smack of other, otherwise an error code 3927 */ 3928 static int smack_unix_stream_connect(struct sock *sock, 3929 struct sock *other, struct sock *newsk) 3930 { 3931 struct smack_known *skp; 3932 struct smack_known *okp; 3933 struct socket_smack *ssp = smack_sock(sock); 3934 struct socket_smack *osp = smack_sock(other); 3935 struct socket_smack *nsp = smack_sock(newsk); 3936 struct smk_audit_info ad; 3937 int rc = 0; 3938 #ifdef CONFIG_AUDIT 3939 struct lsm_network_audit net; 3940 #endif 3941 3942 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3943 skp = ssp->smk_out; 3944 okp = osp->smk_in; 3945 #ifdef CONFIG_AUDIT 3946 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3947 smk_ad_setfield_u_net_sk(&ad, other); 3948 #endif 3949 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3950 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3951 if (rc == 0) { 3952 okp = osp->smk_out; 3953 skp = ssp->smk_in; 3954 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3955 rc = smk_bu_note("UDS connect", okp, skp, 3956 MAY_WRITE, rc); 3957 } 3958 } 3959 3960 if (rc == 0) { 3961 /* 3962 * Cross reference the peer labels for SO_PEERSEC. 3963 */ 3964 nsp->smk_packet = ssp->smk_out; 3965 ssp->smk_packet = osp->smk_out; 3966 3967 /* 3968 * new/child/established socket must inherit listening socket labels 3969 */ 3970 nsp->smk_out = osp->smk_out; 3971 nsp->smk_in = osp->smk_in; 3972 } 3973 3974 return rc; 3975 } 3976 3977 /** 3978 * smack_unix_may_send - Smack access on UDS 3979 * @sock: one socket 3980 * @other: the other socket 3981 * 3982 * Return 0 if a subject with the smack of sock could access 3983 * an object with the smack of other, otherwise an error code 3984 */ 3985 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3986 { 3987 struct socket_smack *ssp = smack_sock(sock->sk); 3988 struct socket_smack *osp = smack_sock(other->sk); 3989 struct smk_audit_info ad; 3990 int rc; 3991 3992 #ifdef CONFIG_AUDIT 3993 struct lsm_network_audit net; 3994 3995 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3996 smk_ad_setfield_u_net_sk(&ad, other->sk); 3997 #endif 3998 3999 if (smack_privileged(CAP_MAC_OVERRIDE)) 4000 return 0; 4001 4002 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 4003 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 4004 return rc; 4005 } 4006 4007 /** 4008 * smack_socket_sendmsg - Smack check based on destination host 4009 * @sock: the socket 4010 * @msg: the message 4011 * @size: the size of the message 4012 * 4013 * Return 0 if the current subject can write to the destination host. 4014 * For IPv4 this is only a question if the destination is a single label host. 4015 * For IPv6 this is a check against the label of the port. 4016 */ 4017 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4018 int size) 4019 { 4020 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 4021 #if IS_ENABLED(CONFIG_IPV6) 4022 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 4023 #endif 4024 #ifdef SMACK_IPV6_SECMARK_LABELING 4025 struct socket_smack *ssp = smack_sock(sock->sk); 4026 struct smack_known *rsp; 4027 #endif 4028 int rc = 0; 4029 4030 /* 4031 * Perfectly reasonable for this to be NULL 4032 */ 4033 if (sip == NULL) 4034 return 0; 4035 4036 switch (sock->sk->sk_family) { 4037 case AF_INET: 4038 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 4039 sip->sin_family != AF_INET) 4040 return -EINVAL; 4041 rc = smk_ipv4_check(sock->sk, sip); 4042 break; 4043 #if IS_ENABLED(CONFIG_IPV6) 4044 case AF_INET6: 4045 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 4046 sap->sin6_family != AF_INET6) 4047 return -EINVAL; 4048 #ifdef SMACK_IPV6_SECMARK_LABELING 4049 rsp = smack_ipv6host_label(sap); 4050 if (rsp != NULL) 4051 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 4052 SMK_CONNECTING); 4053 #endif 4054 #ifdef SMACK_IPV6_PORT_LABELING 4055 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 4056 #endif 4057 #endif /* IS_ENABLED(CONFIG_IPV6) */ 4058 break; 4059 } 4060 return rc; 4061 } 4062 4063 /** 4064 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 4065 * @sap: netlabel secattr 4066 * @ssp: socket security information 4067 * 4068 * Returns a pointer to a Smack label entry found on the label list. 4069 */ 4070 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 4071 struct socket_smack *ssp) 4072 { 4073 struct smack_known *skp; 4074 int found = 0; 4075 int acat; 4076 int kcat; 4077 4078 /* 4079 * Netlabel found it in the cache. 4080 */ 4081 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 4082 return (struct smack_known *)sap->cache->data; 4083 4084 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 4085 /* 4086 * Looks like a fallback, which gives us a secid. 4087 */ 4088 return smack_from_secid(sap->attr.secid); 4089 4090 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 4091 /* 4092 * Looks like a CIPSO packet. 4093 * If there are flags but no level netlabel isn't 4094 * behaving the way we expect it to. 4095 * 4096 * Look it up in the label table 4097 * Without guidance regarding the smack value 4098 * for the packet fall back on the network 4099 * ambient value. 4100 */ 4101 rcu_read_lock(); 4102 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4103 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4104 continue; 4105 /* 4106 * Compare the catsets. Use the netlbl APIs. 4107 */ 4108 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4109 if ((skp->smk_netlabel.flags & 4110 NETLBL_SECATTR_MLS_CAT) == 0) 4111 found = 1; 4112 break; 4113 } 4114 for (acat = -1, kcat = -1; acat == kcat; ) { 4115 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4116 acat + 1); 4117 kcat = netlbl_catmap_walk( 4118 skp->smk_netlabel.attr.mls.cat, 4119 kcat + 1); 4120 if (acat < 0 || kcat < 0) 4121 break; 4122 } 4123 if (acat == kcat) { 4124 found = 1; 4125 break; 4126 } 4127 } 4128 rcu_read_unlock(); 4129 4130 if (found) 4131 return skp; 4132 4133 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4134 return &smack_known_web; 4135 return &smack_known_star; 4136 } 4137 /* 4138 * Without guidance regarding the smack value 4139 * for the packet fall back on the network 4140 * ambient value. 4141 */ 4142 return smack_net_ambient; 4143 } 4144 4145 #if IS_ENABLED(CONFIG_IPV6) 4146 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4147 { 4148 u8 nexthdr; 4149 int offset; 4150 int proto = -EINVAL; 4151 struct ipv6hdr _ipv6h; 4152 struct ipv6hdr *ip6; 4153 __be16 frag_off; 4154 struct tcphdr _tcph, *th; 4155 struct udphdr _udph, *uh; 4156 4157 sip->sin6_port = 0; 4158 4159 offset = skb_network_offset(skb); 4160 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4161 if (ip6 == NULL) 4162 return -EINVAL; 4163 sip->sin6_addr = ip6->saddr; 4164 4165 nexthdr = ip6->nexthdr; 4166 offset += sizeof(_ipv6h); 4167 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4168 if (offset < 0) 4169 return -EINVAL; 4170 4171 proto = nexthdr; 4172 switch (proto) { 4173 case IPPROTO_TCP: 4174 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4175 if (th != NULL) 4176 sip->sin6_port = th->source; 4177 break; 4178 case IPPROTO_UDP: 4179 case IPPROTO_UDPLITE: 4180 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4181 if (uh != NULL) 4182 sip->sin6_port = uh->source; 4183 break; 4184 } 4185 return proto; 4186 } 4187 #endif /* CONFIG_IPV6 */ 4188 4189 /** 4190 * smack_from_skb - Smack data from the secmark in an skb 4191 * @skb: packet 4192 * 4193 * Returns smack_known of the secmark or NULL if that won't work. 4194 */ 4195 #ifdef CONFIG_NETWORK_SECMARK 4196 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4197 { 4198 if (skb == NULL || skb->secmark == 0) 4199 return NULL; 4200 4201 return smack_from_secid(skb->secmark); 4202 } 4203 #else 4204 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4205 { 4206 return NULL; 4207 } 4208 #endif 4209 4210 /** 4211 * smack_from_netlbl - Smack data from the IP options in an skb 4212 * @sk: socket data came in on 4213 * @family: address family 4214 * @skb: packet 4215 * 4216 * Find the Smack label in the IP options. If it hasn't been 4217 * added to the netlabel cache, add it here. 4218 * 4219 * Returns smack_known of the IP options or NULL if that won't work. 4220 */ 4221 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4222 struct sk_buff *skb) 4223 { 4224 struct netlbl_lsm_secattr secattr; 4225 struct socket_smack *ssp = NULL; 4226 struct smack_known *skp = NULL; 4227 4228 netlbl_secattr_init(&secattr); 4229 4230 if (sk) 4231 ssp = smack_sock(sk); 4232 4233 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4234 skp = smack_from_secattr(&secattr, ssp); 4235 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4236 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4237 } 4238 4239 netlbl_secattr_destroy(&secattr); 4240 4241 return skp; 4242 } 4243 4244 /** 4245 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4246 * @sk: socket 4247 * @skb: packet 4248 * 4249 * Returns 0 if the packet should be delivered, an error code otherwise 4250 */ 4251 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4252 { 4253 struct socket_smack *ssp = smack_sock(sk); 4254 struct smack_known *skp = NULL; 4255 int rc = 0; 4256 struct smk_audit_info ad; 4257 u16 family = sk->sk_family; 4258 #ifdef CONFIG_AUDIT 4259 struct lsm_network_audit net; 4260 #endif 4261 #if IS_ENABLED(CONFIG_IPV6) 4262 struct sockaddr_in6 sadd; 4263 int proto; 4264 4265 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4266 family = PF_INET; 4267 #endif /* CONFIG_IPV6 */ 4268 4269 switch (family) { 4270 case PF_INET: 4271 /* 4272 * If there is a secmark use it rather than the CIPSO label. 4273 * If there is no secmark fall back to CIPSO. 4274 * The secmark is assumed to reflect policy better. 4275 */ 4276 skp = smack_from_skb(skb); 4277 if (skp == NULL) { 4278 skp = smack_from_netlbl(sk, family, skb); 4279 if (skp == NULL) 4280 skp = smack_net_ambient; 4281 } 4282 4283 #ifdef CONFIG_AUDIT 4284 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4285 ad.a.u.net->family = family; 4286 ad.a.u.net->netif = skb->skb_iif; 4287 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4288 #endif 4289 /* 4290 * Receiving a packet requires that the other end 4291 * be able to write here. Read access is not required. 4292 * This is the simplest possible security model 4293 * for networking. 4294 */ 4295 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4296 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4297 MAY_WRITE, rc); 4298 if (rc != 0) 4299 netlbl_skbuff_err(skb, family, rc, 0); 4300 break; 4301 #if IS_ENABLED(CONFIG_IPV6) 4302 case PF_INET6: 4303 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4304 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4305 proto != IPPROTO_TCP) 4306 break; 4307 #ifdef SMACK_IPV6_SECMARK_LABELING 4308 skp = smack_from_skb(skb); 4309 if (skp == NULL) { 4310 if (smk_ipv6_localhost(&sadd)) 4311 break; 4312 skp = smack_ipv6host_label(&sadd); 4313 if (skp == NULL) 4314 skp = smack_net_ambient; 4315 } 4316 #ifdef CONFIG_AUDIT 4317 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4318 ad.a.u.net->family = family; 4319 ad.a.u.net->netif = skb->skb_iif; 4320 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4321 #endif /* CONFIG_AUDIT */ 4322 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4323 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4324 MAY_WRITE, rc); 4325 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4326 #ifdef SMACK_IPV6_PORT_LABELING 4327 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4328 #endif /* SMACK_IPV6_PORT_LABELING */ 4329 if (rc != 0) 4330 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4331 ICMPV6_ADM_PROHIBITED, 0); 4332 break; 4333 #endif /* CONFIG_IPV6 */ 4334 } 4335 4336 return rc; 4337 } 4338 4339 /** 4340 * smack_socket_getpeersec_stream - pull in packet label 4341 * @sock: the socket 4342 * @optval: user's destination 4343 * @optlen: size thereof 4344 * @len: max thereof 4345 * 4346 * returns zero on success, an error code otherwise 4347 */ 4348 static int smack_socket_getpeersec_stream(struct socket *sock, 4349 sockptr_t optval, sockptr_t optlen, 4350 unsigned int len) 4351 { 4352 struct socket_smack *ssp; 4353 char *rcp = ""; 4354 u32 slen = 1; 4355 int rc = 0; 4356 4357 ssp = smack_sock(sock->sk); 4358 if (ssp->smk_packet != NULL) { 4359 rcp = ssp->smk_packet->smk_known; 4360 slen = strlen(rcp) + 1; 4361 } 4362 if (slen > len) { 4363 rc = -ERANGE; 4364 goto out_len; 4365 } 4366 4367 if (copy_to_sockptr(optval, rcp, slen)) 4368 rc = -EFAULT; 4369 out_len: 4370 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4371 rc = -EFAULT; 4372 return rc; 4373 } 4374 4375 4376 /** 4377 * smack_socket_getpeersec_dgram - pull in packet label 4378 * @sock: the peer socket 4379 * @skb: packet data 4380 * @secid: pointer to where to put the secid of the packet 4381 * 4382 * Sets the netlabel socket state on sk from parent 4383 */ 4384 static int smack_socket_getpeersec_dgram(struct socket *sock, 4385 struct sk_buff *skb, u32 *secid) 4386 4387 { 4388 struct socket_smack *ssp = NULL; 4389 struct smack_known *skp; 4390 struct sock *sk = NULL; 4391 int family = PF_UNSPEC; 4392 u32 s = 0; /* 0 is the invalid secid */ 4393 4394 if (skb != NULL) { 4395 if (skb->protocol == htons(ETH_P_IP)) 4396 family = PF_INET; 4397 #if IS_ENABLED(CONFIG_IPV6) 4398 else if (skb->protocol == htons(ETH_P_IPV6)) 4399 family = PF_INET6; 4400 #endif /* CONFIG_IPV6 */ 4401 } 4402 if (family == PF_UNSPEC && sock != NULL) 4403 family = sock->sk->sk_family; 4404 4405 switch (family) { 4406 case PF_UNIX: 4407 ssp = smack_sock(sock->sk); 4408 s = ssp->smk_out->smk_secid; 4409 break; 4410 case PF_INET: 4411 skp = smack_from_skb(skb); 4412 if (skp) { 4413 s = skp->smk_secid; 4414 break; 4415 } 4416 /* 4417 * Translate what netlabel gave us. 4418 */ 4419 if (sock != NULL) 4420 sk = sock->sk; 4421 skp = smack_from_netlbl(sk, family, skb); 4422 if (skp != NULL) 4423 s = skp->smk_secid; 4424 break; 4425 case PF_INET6: 4426 #ifdef SMACK_IPV6_SECMARK_LABELING 4427 skp = smack_from_skb(skb); 4428 if (skp) 4429 s = skp->smk_secid; 4430 #endif 4431 break; 4432 } 4433 *secid = s; 4434 if (s == 0) 4435 return -EINVAL; 4436 return 0; 4437 } 4438 4439 /** 4440 * smack_inet_conn_request - Smack access check on connect 4441 * @sk: socket involved 4442 * @skb: packet 4443 * @req: unused 4444 * 4445 * Returns 0 if a task with the packet label could write to 4446 * the socket, otherwise an error code 4447 */ 4448 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4449 struct request_sock *req) 4450 { 4451 u16 family = sk->sk_family; 4452 struct smack_known *skp; 4453 struct socket_smack *ssp = smack_sock(sk); 4454 struct sockaddr_in addr; 4455 struct iphdr *hdr; 4456 struct smack_known *hskp; 4457 int rc; 4458 struct smk_audit_info ad; 4459 #ifdef CONFIG_AUDIT 4460 struct lsm_network_audit net; 4461 #endif 4462 4463 #if IS_ENABLED(CONFIG_IPV6) 4464 if (family == PF_INET6) { 4465 /* 4466 * Handle mapped IPv4 packets arriving 4467 * via IPv6 sockets. Don't set up netlabel 4468 * processing on IPv6. 4469 */ 4470 if (skb->protocol == htons(ETH_P_IP)) 4471 family = PF_INET; 4472 else 4473 return 0; 4474 } 4475 #endif /* CONFIG_IPV6 */ 4476 4477 /* 4478 * If there is a secmark use it rather than the CIPSO label. 4479 * If there is no secmark fall back to CIPSO. 4480 * The secmark is assumed to reflect policy better. 4481 */ 4482 skp = smack_from_skb(skb); 4483 if (skp == NULL) { 4484 skp = smack_from_netlbl(sk, family, skb); 4485 if (skp == NULL) 4486 skp = &smack_known_huh; 4487 } 4488 4489 #ifdef CONFIG_AUDIT 4490 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4491 ad.a.u.net->family = family; 4492 ad.a.u.net->netif = skb->skb_iif; 4493 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4494 #endif 4495 /* 4496 * Receiving a packet requires that the other end be able to write 4497 * here. Read access is not required. 4498 */ 4499 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4500 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4501 if (rc != 0) 4502 return rc; 4503 4504 /* 4505 * Save the peer's label in the request_sock so we can later setup 4506 * smk_packet in the child socket so that SO_PEERCRED can report it. 4507 */ 4508 req->peer_secid = skp->smk_secid; 4509 4510 /* 4511 * We need to decide if we want to label the incoming connection here 4512 * if we do we only need to label the request_sock and the stack will 4513 * propagate the wire-label to the sock when it is created. 4514 */ 4515 hdr = ip_hdr(skb); 4516 addr.sin_addr.s_addr = hdr->saddr; 4517 rcu_read_lock(); 4518 hskp = smack_ipv4host_label(&addr); 4519 rcu_read_unlock(); 4520 4521 if (hskp == NULL) 4522 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4523 else 4524 netlbl_req_delattr(req); 4525 4526 return rc; 4527 } 4528 4529 /** 4530 * smack_inet_csk_clone - Copy the connection information to the new socket 4531 * @sk: the new socket 4532 * @req: the connection's request_sock 4533 * 4534 * Transfer the connection's peer label to the newly created socket. 4535 */ 4536 static void smack_inet_csk_clone(struct sock *sk, 4537 const struct request_sock *req) 4538 { 4539 struct socket_smack *ssp = smack_sock(sk); 4540 struct smack_known *skp; 4541 4542 if (req->peer_secid != 0) { 4543 skp = smack_from_secid(req->peer_secid); 4544 ssp->smk_packet = skp; 4545 } else 4546 ssp->smk_packet = NULL; 4547 } 4548 4549 /* 4550 * Key management security hooks 4551 * 4552 * Casey has not tested key support very heavily. 4553 * The permission check is most likely too restrictive. 4554 * If you care about keys please have a look. 4555 */ 4556 #ifdef CONFIG_KEYS 4557 4558 /** 4559 * smack_key_alloc - Set the key security blob 4560 * @key: object 4561 * @cred: the credentials to use 4562 * @flags: unused 4563 * 4564 * No allocation required 4565 * 4566 * Returns 0 4567 */ 4568 static int smack_key_alloc(struct key *key, const struct cred *cred, 4569 unsigned long flags) 4570 { 4571 struct smack_known **blob = smack_key(key); 4572 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4573 4574 *blob = skp; 4575 return 0; 4576 } 4577 4578 /** 4579 * smack_key_permission - Smack access on a key 4580 * @key_ref: gets to the object 4581 * @cred: the credentials to use 4582 * @need_perm: requested key permission 4583 * 4584 * Return 0 if the task has read and write to the object, 4585 * an error code otherwise 4586 */ 4587 static int smack_key_permission(key_ref_t key_ref, 4588 const struct cred *cred, 4589 enum key_need_perm need_perm) 4590 { 4591 struct smack_known **blob; 4592 struct smack_known *skp; 4593 struct key *keyp; 4594 struct smk_audit_info ad; 4595 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4596 int request = 0; 4597 int rc; 4598 4599 /* 4600 * Validate requested permissions 4601 */ 4602 switch (need_perm) { 4603 case KEY_NEED_READ: 4604 case KEY_NEED_SEARCH: 4605 case KEY_NEED_VIEW: 4606 request |= MAY_READ; 4607 break; 4608 case KEY_NEED_WRITE: 4609 case KEY_NEED_LINK: 4610 case KEY_NEED_SETATTR: 4611 request |= MAY_WRITE; 4612 break; 4613 case KEY_NEED_UNSPECIFIED: 4614 case KEY_NEED_UNLINK: 4615 case KEY_SYSADMIN_OVERRIDE: 4616 case KEY_AUTHTOKEN_OVERRIDE: 4617 case KEY_DEFER_PERM_CHECK: 4618 return 0; 4619 default: 4620 return -EINVAL; 4621 } 4622 4623 keyp = key_ref_to_ptr(key_ref); 4624 if (keyp == NULL) 4625 return -EINVAL; 4626 /* 4627 * If the key hasn't been initialized give it access so that 4628 * it may do so. 4629 */ 4630 blob = smack_key(keyp); 4631 skp = *blob; 4632 if (skp == NULL) 4633 return 0; 4634 /* 4635 * This should not occur 4636 */ 4637 if (tkp == NULL) 4638 return -EACCES; 4639 4640 if (smack_privileged(CAP_MAC_OVERRIDE)) 4641 return 0; 4642 4643 #ifdef CONFIG_AUDIT 4644 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4645 ad.a.u.key_struct.key = keyp->serial; 4646 ad.a.u.key_struct.key_desc = keyp->description; 4647 #endif 4648 rc = smk_access(tkp, skp, request, &ad); 4649 rc = smk_bu_note("key access", tkp, skp, request, rc); 4650 return rc; 4651 } 4652 4653 /* 4654 * smack_key_getsecurity - Smack label tagging the key 4655 * @key points to the key to be queried 4656 * @_buffer points to a pointer that should be set to point to the 4657 * resulting string (if no label or an error occurs). 4658 * Return the length of the string (including terminating NUL) or -ve if 4659 * an error. 4660 * May also return 0 (and a NULL buffer pointer) if there is no label. 4661 */ 4662 static int smack_key_getsecurity(struct key *key, char **_buffer) 4663 { 4664 struct smack_known **blob = smack_key(key); 4665 struct smack_known *skp = *blob; 4666 size_t length; 4667 char *copy; 4668 4669 if (skp == NULL) { 4670 *_buffer = NULL; 4671 return 0; 4672 } 4673 4674 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4675 if (copy == NULL) 4676 return -ENOMEM; 4677 length = strlen(copy) + 1; 4678 4679 *_buffer = copy; 4680 return length; 4681 } 4682 4683 4684 #ifdef CONFIG_KEY_NOTIFICATIONS 4685 /** 4686 * smack_watch_key - Smack access to watch a key for notifications. 4687 * @key: The key to be watched 4688 * 4689 * Return 0 if the @watch->cred has permission to read from the key object and 4690 * an error otherwise. 4691 */ 4692 static int smack_watch_key(struct key *key) 4693 { 4694 struct smk_audit_info ad; 4695 struct smack_known *tkp = smk_of_current(); 4696 struct smack_known **blob = smack_key(key); 4697 int rc; 4698 4699 /* 4700 * This should not occur 4701 */ 4702 if (tkp == NULL) 4703 return -EACCES; 4704 4705 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4706 return 0; 4707 4708 #ifdef CONFIG_AUDIT 4709 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4710 ad.a.u.key_struct.key = key->serial; 4711 ad.a.u.key_struct.key_desc = key->description; 4712 #endif 4713 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4714 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4715 return rc; 4716 } 4717 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4718 #endif /* CONFIG_KEYS */ 4719 4720 #ifdef CONFIG_WATCH_QUEUE 4721 /** 4722 * smack_post_notification - Smack access to post a notification to a queue 4723 * @w_cred: The credentials of the watcher. 4724 * @cred: The credentials of the event source (may be NULL). 4725 * @n: The notification message to be posted. 4726 */ 4727 static int smack_post_notification(const struct cred *w_cred, 4728 const struct cred *cred, 4729 struct watch_notification *n) 4730 { 4731 struct smk_audit_info ad; 4732 struct smack_known *subj, *obj; 4733 int rc; 4734 4735 /* Always let maintenance notifications through. */ 4736 if (n->type == WATCH_TYPE_META) 4737 return 0; 4738 4739 if (!cred) 4740 return 0; 4741 subj = smk_of_task(smack_cred(cred)); 4742 obj = smk_of_task(smack_cred(w_cred)); 4743 4744 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4745 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4746 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4747 return rc; 4748 } 4749 #endif /* CONFIG_WATCH_QUEUE */ 4750 4751 /* 4752 * Smack Audit hooks 4753 * 4754 * Audit requires a unique representation of each Smack specific 4755 * rule. This unique representation is used to distinguish the 4756 * object to be audited from remaining kernel objects and also 4757 * works as a glue between the audit hooks. 4758 * 4759 * Since repository entries are added but never deleted, we'll use 4760 * the smack_known label address related to the given audit rule as 4761 * the needed unique representation. This also better fits the smack 4762 * model where nearly everything is a label. 4763 */ 4764 #ifdef CONFIG_AUDIT 4765 4766 /** 4767 * smack_audit_rule_init - Initialize a smack audit rule 4768 * @field: audit rule fields given from user-space (audit.h) 4769 * @op: required testing operator (=, !=, >, <, ...) 4770 * @rulestr: smack label to be audited 4771 * @vrule: pointer to save our own audit rule representation 4772 * @gfp: type of the memory for the allocation 4773 * 4774 * Prepare to audit cases where (@field @op @rulestr) is true. 4775 * The label to be audited is created if necessary. 4776 */ 4777 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4778 gfp_t gfp) 4779 { 4780 struct smack_known *skp; 4781 char **rule = (char **)vrule; 4782 *rule = NULL; 4783 4784 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4785 return -EINVAL; 4786 4787 if (op != Audit_equal && op != Audit_not_equal) 4788 return -EINVAL; 4789 4790 skp = smk_import_entry(rulestr, 0); 4791 if (IS_ERR(skp)) 4792 return PTR_ERR(skp); 4793 4794 *rule = skp->smk_known; 4795 4796 return 0; 4797 } 4798 4799 /** 4800 * smack_audit_rule_known - Distinguish Smack audit rules 4801 * @krule: rule of interest, in Audit kernel representation format 4802 * 4803 * This is used to filter Smack rules from remaining Audit ones. 4804 * If it's proved that this rule belongs to us, the 4805 * audit_rule_match hook will be called to do the final judgement. 4806 */ 4807 static int smack_audit_rule_known(struct audit_krule *krule) 4808 { 4809 struct audit_field *f; 4810 int i; 4811 4812 for (i = 0; i < krule->field_count; i++) { 4813 f = &krule->fields[i]; 4814 4815 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4816 return 1; 4817 } 4818 4819 return 0; 4820 } 4821 4822 /** 4823 * smack_audit_rule_match - Audit given object ? 4824 * @prop: security id for identifying the object to test 4825 * @field: audit rule flags given from user-space 4826 * @op: required testing operator 4827 * @vrule: smack internal rule presentation 4828 * 4829 * The core Audit hook. It's used to take the decision of 4830 * whether to audit or not to audit a given object. 4831 */ 4832 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4833 void *vrule) 4834 { 4835 struct smack_known *skp = prop->smack.skp; 4836 char *rule = vrule; 4837 4838 if (unlikely(!rule)) { 4839 WARN_ONCE(1, "Smack: missing rule\n"); 4840 return -ENOENT; 4841 } 4842 4843 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4844 return 0; 4845 4846 /* 4847 * No need to do string comparisons. If a match occurs, 4848 * both pointers will point to the same smack_known 4849 * label. 4850 */ 4851 if (op == Audit_equal) 4852 return (rule == skp->smk_known); 4853 if (op == Audit_not_equal) 4854 return (rule != skp->smk_known); 4855 4856 return 0; 4857 } 4858 4859 /* 4860 * There is no need for a smack_audit_rule_free hook. 4861 * No memory was allocated. 4862 */ 4863 4864 #endif /* CONFIG_AUDIT */ 4865 4866 /** 4867 * smack_ismaclabel - check if xattr @name references a smack MAC label 4868 * @name: Full xattr name to check. 4869 */ 4870 static int smack_ismaclabel(const char *name) 4871 { 4872 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4873 } 4874 4875 /** 4876 * smack_to_secctx - fill a lsm_context 4877 * @skp: Smack label 4878 * @cp: destination 4879 * 4880 * Fill the passed @cp and return the length of the string 4881 */ 4882 static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4883 { 4884 int len = strlen(skp->smk_known); 4885 4886 if (cp) { 4887 cp->context = skp->smk_known; 4888 cp->len = len; 4889 cp->id = LSM_ID_SMACK; 4890 } 4891 return len; 4892 } 4893 4894 /** 4895 * smack_secid_to_secctx - return the smack label for a secid 4896 * @secid: incoming integer 4897 * @cp: destination 4898 * 4899 * Exists for networking code. 4900 */ 4901 static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4902 { 4903 return smack_to_secctx(smack_from_secid(secid), cp); 4904 } 4905 4906 /** 4907 * smack_lsmprop_to_secctx - return the smack label 4908 * @prop: includes incoming Smack data 4909 * @cp: destination 4910 * 4911 * Exists for audit code. 4912 */ 4913 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4914 struct lsm_context *cp) 4915 { 4916 return smack_to_secctx(prop->smack.skp, cp); 4917 } 4918 4919 /** 4920 * smack_secctx_to_secid - return the secid for a smack label 4921 * @secdata: smack label 4922 * @seclen: how long result is 4923 * @secid: outgoing integer 4924 * 4925 * Exists for audit and networking code. 4926 */ 4927 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4928 { 4929 struct smack_known *skp = smk_find_entry(secdata); 4930 4931 if (skp) 4932 *secid = skp->smk_secid; 4933 else 4934 *secid = 0; 4935 return 0; 4936 } 4937 4938 /* 4939 * There used to be a smack_release_secctx hook 4940 * that did nothing back when hooks were in a vector. 4941 * Now that there's a list such a hook adds cost. 4942 */ 4943 4944 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4945 { 4946 /* 4947 * UDS inode has fixed label. Ignore nfs label. 4948 */ 4949 if (S_ISSOCK(inode->i_mode)) 4950 return 0; 4951 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4952 ctxlen, 0); 4953 } 4954 4955 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4956 { 4957 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4958 ctx, ctxlen, 0, NULL); 4959 } 4960 4961 static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4962 { 4963 struct smack_known *skp = smk_of_inode(inode); 4964 4965 cp->context = skp->smk_known; 4966 cp->len = strlen(skp->smk_known); 4967 cp->id = LSM_ID_SMACK; 4968 return 0; 4969 } 4970 4971 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4972 { 4973 4974 struct task_smack *tsp; 4975 struct smack_known *skp; 4976 struct inode_smack *isp; 4977 struct cred *new_creds = *new; 4978 4979 if (new_creds == NULL) { 4980 new_creds = prepare_creds(); 4981 if (new_creds == NULL) 4982 return -ENOMEM; 4983 } 4984 4985 tsp = smack_cred(new_creds); 4986 4987 /* 4988 * Get label from overlay inode and set it in create_sid 4989 */ 4990 isp = smack_inode(d_inode(dentry)); 4991 skp = isp->smk_inode; 4992 tsp->smk_task = skp; 4993 *new = new_creds; 4994 return 0; 4995 } 4996 4997 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4998 { 4999 /* 5000 * Return -ECANCELED if this is the smack access Smack attribute. 5001 */ 5002 if (!strcmp(name, XATTR_NAME_SMACK)) 5003 return -ECANCELED; 5004 5005 return -EOPNOTSUPP; 5006 } 5007 5008 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 5009 const struct qstr *name, 5010 const struct cred *old, 5011 struct cred *new) 5012 { 5013 struct task_smack *otsp = smack_cred(old); 5014 struct task_smack *ntsp = smack_cred(new); 5015 struct inode_smack *isp; 5016 5017 /* 5018 * Use the process credential unless all of 5019 * the transmuting criteria are met 5020 */ 5021 ntsp->smk_task = otsp->smk_task; 5022 5023 /* 5024 * the attribute of the containing directory 5025 */ 5026 isp = smack_inode(d_inode(dentry->d_parent)); 5027 5028 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 5029 /* 5030 * If the directory is transmuting and the rule 5031 * providing access is transmuting use the containing 5032 * directory label instead of the process label. 5033 */ 5034 if (smk_rule_transmutes(otsp->smk_task, isp->smk_inode)) { 5035 ntsp->smk_task = isp->smk_inode; 5036 ntsp->smk_transmuted = ntsp->smk_task; 5037 } 5038 } 5039 return 0; 5040 } 5041 5042 #ifdef CONFIG_IO_URING 5043 /** 5044 * smack_uring_override_creds - Is io_uring cred override allowed? 5045 * @new: the target creds 5046 * 5047 * Check to see if the current task is allowed to override it's credentials 5048 * to service an io_uring operation. 5049 */ 5050 static int smack_uring_override_creds(const struct cred *new) 5051 { 5052 struct task_smack *tsp = smack_cred(current_cred()); 5053 struct task_smack *nsp = smack_cred(new); 5054 5055 /* 5056 * Allow the degenerate case where the new Smack value is 5057 * the same as the current Smack value. 5058 */ 5059 if (tsp->smk_task == nsp->smk_task) 5060 return 0; 5061 5062 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 5063 return 0; 5064 5065 return -EPERM; 5066 } 5067 5068 /** 5069 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5070 * 5071 * Check to see if the current task is allowed to create a new io_uring 5072 * kernel polling thread. 5073 */ 5074 static int smack_uring_sqpoll(void) 5075 { 5076 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5077 return 0; 5078 5079 return -EPERM; 5080 } 5081 5082 /** 5083 * smack_uring_cmd - check on file operations for io_uring 5084 * @ioucmd: the command in question 5085 * 5086 * Make a best guess about whether a io_uring "command" should 5087 * be allowed. Use the same logic used for determining if the 5088 * file could be opened for read in the absence of better criteria. 5089 */ 5090 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5091 { 5092 struct file *file = ioucmd->file; 5093 struct smk_audit_info ad; 5094 struct task_smack *tsp; 5095 struct inode *inode; 5096 int rc; 5097 5098 if (!file) 5099 return -EINVAL; 5100 5101 tsp = smack_cred(file->f_cred); 5102 inode = file_inode(file); 5103 5104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5105 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5106 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5107 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5108 5109 return rc; 5110 } 5111 5112 #endif /* CONFIG_IO_URING */ 5113 5114 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5115 .lbs_cred = sizeof(struct task_smack), 5116 .lbs_file = sizeof(struct smack_known *), 5117 .lbs_inode = sizeof(struct inode_smack), 5118 .lbs_ipc = sizeof(struct smack_known *), 5119 .lbs_key = sizeof(struct smack_known *), 5120 .lbs_msg_msg = sizeof(struct smack_known *), 5121 .lbs_sock = sizeof(struct socket_smack), 5122 .lbs_superblock = sizeof(struct superblock_smack), 5123 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5124 }; 5125 5126 static const struct lsm_id smack_lsmid = { 5127 .name = "smack", 5128 .id = LSM_ID_SMACK, 5129 }; 5130 5131 static struct security_hook_list smack_hooks[] __ro_after_init = { 5132 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5133 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5134 LSM_HOOK_INIT(syslog, smack_syslog), 5135 5136 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5137 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5138 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5139 5140 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5141 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5142 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5143 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5144 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5145 5146 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5147 5148 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5149 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5150 LSM_HOOK_INIT(inode_link, smack_inode_link), 5151 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5152 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5153 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5154 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5155 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5156 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5157 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5158 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5159 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5160 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5161 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5162 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5163 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5164 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5165 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5166 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5167 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5168 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5169 5170 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5171 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5172 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5173 LSM_HOOK_INIT(file_lock, smack_file_lock), 5174 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5175 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5176 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5177 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5178 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5179 LSM_HOOK_INIT(file_receive, smack_file_receive), 5180 5181 LSM_HOOK_INIT(file_open, smack_file_open), 5182 5183 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5184 LSM_HOOK_INIT(cred_free, smack_cred_free), 5185 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5186 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5187 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5188 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5189 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5190 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5191 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5192 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5193 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5194 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5195 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5196 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5197 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5198 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5199 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5200 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5201 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5202 LSM_HOOK_INIT(task_kill, smack_task_kill), 5203 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5204 5205 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5206 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5207 5208 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5209 5210 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5211 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5212 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5213 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5214 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5215 5216 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5217 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5218 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5219 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5220 5221 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5222 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5223 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5224 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5225 5226 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5227 5228 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5229 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5230 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5231 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5232 5233 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5234 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5235 5236 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5237 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5238 #ifdef SMACK_IPV6_PORT_LABELING 5239 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5240 #endif 5241 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5242 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5243 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5244 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5245 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5246 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5247 #ifdef SMACK_IPV6_PORT_LABELING 5248 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5249 #endif 5250 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5251 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5252 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5253 5254 /* key management security hooks */ 5255 #ifdef CONFIG_KEYS 5256 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5257 LSM_HOOK_INIT(key_permission, smack_key_permission), 5258 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5259 #ifdef CONFIG_KEY_NOTIFICATIONS 5260 LSM_HOOK_INIT(watch_key, smack_watch_key), 5261 #endif 5262 #endif /* CONFIG_KEYS */ 5263 5264 #ifdef CONFIG_WATCH_QUEUE 5265 LSM_HOOK_INIT(post_notification, smack_post_notification), 5266 #endif 5267 5268 /* Audit hooks */ 5269 #ifdef CONFIG_AUDIT 5270 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5271 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5272 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5273 #endif /* CONFIG_AUDIT */ 5274 5275 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5276 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5277 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5278 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5279 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5280 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5281 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5282 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5283 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5284 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5285 #ifdef CONFIG_IO_URING 5286 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5287 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5288 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5289 #endif 5290 }; 5291 5292 5293 static __init void init_smack_known_list(void) 5294 { 5295 /* 5296 * Initialize rule list locks 5297 */ 5298 mutex_init(&smack_known_huh.smk_rules_lock); 5299 mutex_init(&smack_known_hat.smk_rules_lock); 5300 mutex_init(&smack_known_floor.smk_rules_lock); 5301 mutex_init(&smack_known_star.smk_rules_lock); 5302 mutex_init(&smack_known_web.smk_rules_lock); 5303 /* 5304 * Initialize rule lists 5305 */ 5306 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5307 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5308 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5309 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5310 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5311 /* 5312 * Create the known labels list 5313 */ 5314 smk_insert_entry(&smack_known_huh); 5315 smk_insert_entry(&smack_known_hat); 5316 smk_insert_entry(&smack_known_star); 5317 smk_insert_entry(&smack_known_floor); 5318 smk_insert_entry(&smack_known_web); 5319 } 5320 5321 /** 5322 * smack_init - initialize the smack system 5323 * 5324 * Returns 0 on success, -ENOMEM is there's no memory 5325 */ 5326 static __init int smack_init(void) 5327 { 5328 struct cred *cred = (struct cred *) current->cred; 5329 struct task_smack *tsp; 5330 5331 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5332 if (!smack_rule_cache) 5333 return -ENOMEM; 5334 5335 /* 5336 * Set the security state for the initial task. 5337 */ 5338 tsp = smack_cred(cred); 5339 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5340 5341 /* 5342 * Register with LSM 5343 */ 5344 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5345 smack_enabled = 1; 5346 5347 pr_info("Smack: Initializing.\n"); 5348 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5349 pr_info("Smack: Netfilter enabled.\n"); 5350 #endif 5351 #ifdef SMACK_IPV6_PORT_LABELING 5352 pr_info("Smack: IPv6 port labeling enabled.\n"); 5353 #endif 5354 #ifdef SMACK_IPV6_SECMARK_LABELING 5355 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5356 #endif 5357 5358 /* initialize the smack_known_list */ 5359 init_smack_known_list(); 5360 5361 /* Inform the audit system that secctx is used */ 5362 audit_cfg_lsm(&smack_lsmid, 5363 AUDIT_CFG_LSM_SECCTX_SUBJECT | 5364 AUDIT_CFG_LSM_SECCTX_OBJECT); 5365 5366 return 0; 5367 } 5368 5369 int __init smack_initcall(void) 5370 { 5371 int rc_fs = init_smk_fs(); 5372 int rc_nf = smack_nf_ip_init(); 5373 5374 return rc_fs ? rc_fs : rc_nf; 5375 } 5376 5377 /* 5378 * Smack requires early initialization in order to label 5379 * all processes and objects when they are created. 5380 */ 5381 DEFINE_LSM(smack) = { 5382 .id = &smack_lsmid, 5383 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5384 .blobs = &smack_blob_sizes, 5385 .init = smack_init, 5386 .initcall_device = smack_initcall, 5387 }; 5388