1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include <linux/fs_context.h> 47 #include <linux/fs_parser.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 #ifdef SMACK_IPV6_PORT_LABELING 58 DEFINE_MUTEX(smack_ipv6_lock); 59 static LIST_HEAD(smk_ipv6_port_list); 60 #endif 61 static struct kmem_cache *smack_inode_cache; 62 struct kmem_cache *smack_rule_cache; 63 int smack_enabled; 64 65 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 66 static struct { 67 const char *name; 68 int len; 69 int opt; 70 } smk_mount_opts[] = { 71 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 72 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 73 }; 74 #undef A 75 76 static int match_opt_prefix(char *s, int l, char **arg) 77 { 78 int i; 79 80 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 81 size_t len = smk_mount_opts[i].len; 82 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 83 continue; 84 if (len == l || s[len] != '=') 85 continue; 86 *arg = s + len + 1; 87 return smk_mount_opts[i].opt; 88 } 89 return Opt_error; 90 } 91 92 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 93 static char *smk_bu_mess[] = { 94 "Bringup Error", /* Unused */ 95 "Bringup", /* SMACK_BRINGUP_ALLOW */ 96 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 97 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 98 }; 99 100 static void smk_bu_mode(int mode, char *s) 101 { 102 int i = 0; 103 104 if (mode & MAY_READ) 105 s[i++] = 'r'; 106 if (mode & MAY_WRITE) 107 s[i++] = 'w'; 108 if (mode & MAY_EXEC) 109 s[i++] = 'x'; 110 if (mode & MAY_APPEND) 111 s[i++] = 'a'; 112 if (mode & MAY_TRANSMUTE) 113 s[i++] = 't'; 114 if (mode & MAY_LOCK) 115 s[i++] = 'l'; 116 if (i == 0) 117 s[i++] = '-'; 118 s[i] = '\0'; 119 } 120 #endif 121 122 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 123 static int smk_bu_note(char *note, struct smack_known *sskp, 124 struct smack_known *oskp, int mode, int rc) 125 { 126 char acc[SMK_NUM_ACCESS_TYPE + 1]; 127 128 if (rc <= 0) 129 return rc; 130 if (rc > SMACK_UNCONFINED_OBJECT) 131 rc = 0; 132 133 smk_bu_mode(mode, acc); 134 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 135 sskp->smk_known, oskp->smk_known, acc, note); 136 return 0; 137 } 138 #else 139 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 140 #endif 141 142 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 143 static int smk_bu_current(char *note, struct smack_known *oskp, 144 int mode, int rc) 145 { 146 struct task_smack *tsp = smack_cred(current_cred()); 147 char acc[SMK_NUM_ACCESS_TYPE + 1]; 148 149 if (rc <= 0) 150 return rc; 151 if (rc > SMACK_UNCONFINED_OBJECT) 152 rc = 0; 153 154 smk_bu_mode(mode, acc); 155 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 156 tsp->smk_task->smk_known, oskp->smk_known, 157 acc, current->comm, note); 158 return 0; 159 } 160 #else 161 #define smk_bu_current(note, oskp, mode, RC) (RC) 162 #endif 163 164 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 165 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 166 { 167 struct task_smack *tsp = smack_cred(current_cred()); 168 struct smack_known *smk_task = smk_of_task_struct(otp); 169 char acc[SMK_NUM_ACCESS_TYPE + 1]; 170 171 if (rc <= 0) 172 return rc; 173 if (rc > SMACK_UNCONFINED_OBJECT) 174 rc = 0; 175 176 smk_bu_mode(mode, acc); 177 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 178 tsp->smk_task->smk_known, smk_task->smk_known, acc, 179 current->comm, otp->comm); 180 return 0; 181 } 182 #else 183 #define smk_bu_task(otp, mode, RC) (RC) 184 #endif 185 186 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 187 static int smk_bu_inode(struct inode *inode, int mode, int rc) 188 { 189 struct task_smack *tsp = smack_cred(current_cred()); 190 struct inode_smack *isp = smack_inode(inode); 191 char acc[SMK_NUM_ACCESS_TYPE + 1]; 192 193 if (isp->smk_flags & SMK_INODE_IMPURE) 194 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 195 inode->i_sb->s_id, inode->i_ino, current->comm); 196 197 if (rc <= 0) 198 return rc; 199 if (rc > SMACK_UNCONFINED_OBJECT) 200 rc = 0; 201 if (rc == SMACK_UNCONFINED_SUBJECT && 202 (mode & (MAY_WRITE | MAY_APPEND))) 203 isp->smk_flags |= SMK_INODE_IMPURE; 204 205 smk_bu_mode(mode, acc); 206 207 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 208 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 209 inode->i_sb->s_id, inode->i_ino, current->comm); 210 return 0; 211 } 212 #else 213 #define smk_bu_inode(inode, mode, RC) (RC) 214 #endif 215 216 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 217 static int smk_bu_file(struct file *file, int mode, int rc) 218 { 219 struct task_smack *tsp = smack_cred(current_cred()); 220 struct smack_known *sskp = tsp->smk_task; 221 struct inode *inode = file_inode(file); 222 struct inode_smack *isp = smack_inode(inode); 223 char acc[SMK_NUM_ACCESS_TYPE + 1]; 224 225 if (isp->smk_flags & SMK_INODE_IMPURE) 226 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 227 inode->i_sb->s_id, inode->i_ino, current->comm); 228 229 if (rc <= 0) 230 return rc; 231 if (rc > SMACK_UNCONFINED_OBJECT) 232 rc = 0; 233 234 smk_bu_mode(mode, acc); 235 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 236 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 237 inode->i_sb->s_id, inode->i_ino, file, 238 current->comm); 239 return 0; 240 } 241 #else 242 #define smk_bu_file(file, mode, RC) (RC) 243 #endif 244 245 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 246 static int smk_bu_credfile(const struct cred *cred, struct file *file, 247 int mode, int rc) 248 { 249 struct task_smack *tsp = smack_cred(cred); 250 struct smack_known *sskp = tsp->smk_task; 251 struct inode *inode = file_inode(file); 252 struct inode_smack *isp = smack_inode(inode); 253 char acc[SMK_NUM_ACCESS_TYPE + 1]; 254 255 if (isp->smk_flags & SMK_INODE_IMPURE) 256 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 257 inode->i_sb->s_id, inode->i_ino, current->comm); 258 259 if (rc <= 0) 260 return rc; 261 if (rc > SMACK_UNCONFINED_OBJECT) 262 rc = 0; 263 264 smk_bu_mode(mode, acc); 265 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 266 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 267 inode->i_sb->s_id, inode->i_ino, file, 268 current->comm); 269 return 0; 270 } 271 #else 272 #define smk_bu_credfile(cred, file, mode, RC) (RC) 273 #endif 274 275 /** 276 * smk_fetch - Fetch the smack label from a file. 277 * @name: type of the label (attribute) 278 * @ip: a pointer to the inode 279 * @dp: a pointer to the dentry 280 * 281 * Returns a pointer to the master list entry for the Smack label, 282 * NULL if there was no label to fetch, or an error code. 283 */ 284 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 285 struct dentry *dp) 286 { 287 int rc; 288 char *buffer; 289 struct smack_known *skp = NULL; 290 291 if (!(ip->i_opflags & IOP_XATTR)) 292 return ERR_PTR(-EOPNOTSUPP); 293 294 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 295 if (buffer == NULL) 296 return ERR_PTR(-ENOMEM); 297 298 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 299 if (rc < 0) 300 skp = ERR_PTR(rc); 301 else if (rc == 0) 302 skp = NULL; 303 else 304 skp = smk_import_entry(buffer, rc); 305 306 kfree(buffer); 307 308 return skp; 309 } 310 311 /** 312 * init_inode_smack - initialize an inode security blob 313 * @isp: the blob to initialize 314 * @skp: a pointer to the Smack label entry to use in the blob 315 * 316 */ 317 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 318 { 319 struct inode_smack *isp = smack_inode(inode); 320 321 isp->smk_inode = skp; 322 isp->smk_flags = 0; 323 mutex_init(&isp->smk_lock); 324 } 325 326 /** 327 * init_task_smack - initialize a task security blob 328 * @tsp: blob to initialize 329 * @task: a pointer to the Smack label for the running task 330 * @forked: a pointer to the Smack label for the forked task 331 * 332 */ 333 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 334 struct smack_known *forked) 335 { 336 tsp->smk_task = task; 337 tsp->smk_forked = forked; 338 INIT_LIST_HEAD(&tsp->smk_rules); 339 INIT_LIST_HEAD(&tsp->smk_relabel); 340 mutex_init(&tsp->smk_rules_lock); 341 } 342 343 /** 344 * smk_copy_rules - copy a rule set 345 * @nhead: new rules header pointer 346 * @ohead: old rules header pointer 347 * @gfp: type of the memory for the allocation 348 * 349 * Returns 0 on success, -ENOMEM on error 350 */ 351 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 352 gfp_t gfp) 353 { 354 struct smack_rule *nrp; 355 struct smack_rule *orp; 356 int rc = 0; 357 358 list_for_each_entry_rcu(orp, ohead, list) { 359 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 360 if (nrp == NULL) { 361 rc = -ENOMEM; 362 break; 363 } 364 *nrp = *orp; 365 list_add_rcu(&nrp->list, nhead); 366 } 367 return rc; 368 } 369 370 /** 371 * smk_copy_relabel - copy smk_relabel labels list 372 * @nhead: new rules header pointer 373 * @ohead: old rules header pointer 374 * @gfp: type of the memory for the allocation 375 * 376 * Returns 0 on success, -ENOMEM on error 377 */ 378 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 379 gfp_t gfp) 380 { 381 struct smack_known_list_elem *nklep; 382 struct smack_known_list_elem *oklep; 383 384 list_for_each_entry(oklep, ohead, list) { 385 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 386 if (nklep == NULL) { 387 smk_destroy_label_list(nhead); 388 return -ENOMEM; 389 } 390 nklep->smk_label = oklep->smk_label; 391 list_add(&nklep->list, nhead); 392 } 393 394 return 0; 395 } 396 397 /** 398 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 399 * @mode - input mode in form of PTRACE_MODE_* 400 * 401 * Returns a converted MAY_* mode usable by smack rules 402 */ 403 static inline unsigned int smk_ptrace_mode(unsigned int mode) 404 { 405 if (mode & PTRACE_MODE_ATTACH) 406 return MAY_READWRITE; 407 if (mode & PTRACE_MODE_READ) 408 return MAY_READ; 409 410 return 0; 411 } 412 413 /** 414 * smk_ptrace_rule_check - helper for ptrace access 415 * @tracer: tracer process 416 * @tracee_known: label entry of the process that's about to be traced 417 * @mode: ptrace attachment mode (PTRACE_MODE_*) 418 * @func: name of the function that called us, used for audit 419 * 420 * Returns 0 on access granted, -error on error 421 */ 422 static int smk_ptrace_rule_check(struct task_struct *tracer, 423 struct smack_known *tracee_known, 424 unsigned int mode, const char *func) 425 { 426 int rc; 427 struct smk_audit_info ad, *saip = NULL; 428 struct task_smack *tsp; 429 struct smack_known *tracer_known; 430 const struct cred *tracercred; 431 432 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 433 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 434 smk_ad_setfield_u_tsk(&ad, tracer); 435 saip = &ad; 436 } 437 438 rcu_read_lock(); 439 tracercred = __task_cred(tracer); 440 tsp = smack_cred(tracercred); 441 tracer_known = smk_of_task(tsp); 442 443 if ((mode & PTRACE_MODE_ATTACH) && 444 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 445 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 446 if (tracer_known->smk_known == tracee_known->smk_known) 447 rc = 0; 448 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 449 rc = -EACCES; 450 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 451 rc = 0; 452 else 453 rc = -EACCES; 454 455 if (saip) 456 smack_log(tracer_known->smk_known, 457 tracee_known->smk_known, 458 0, rc, saip); 459 460 rcu_read_unlock(); 461 return rc; 462 } 463 464 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 465 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 466 467 rcu_read_unlock(); 468 return rc; 469 } 470 471 /* 472 * LSM hooks. 473 * We he, that is fun! 474 */ 475 476 /** 477 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 478 * @ctp: child task pointer 479 * @mode: ptrace attachment mode (PTRACE_MODE_*) 480 * 481 * Returns 0 if access is OK, an error code otherwise 482 * 483 * Do the capability checks. 484 */ 485 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 486 { 487 struct smack_known *skp; 488 489 skp = smk_of_task_struct(ctp); 490 491 return smk_ptrace_rule_check(current, skp, mode, __func__); 492 } 493 494 /** 495 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 496 * @ptp: parent task pointer 497 * 498 * Returns 0 if access is OK, an error code otherwise 499 * 500 * Do the capability checks, and require PTRACE_MODE_ATTACH. 501 */ 502 static int smack_ptrace_traceme(struct task_struct *ptp) 503 { 504 int rc; 505 struct smack_known *skp; 506 507 skp = smk_of_task(smack_cred(current_cred())); 508 509 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 510 return rc; 511 } 512 513 /** 514 * smack_syslog - Smack approval on syslog 515 * @type: message type 516 * 517 * Returns 0 on success, error code otherwise. 518 */ 519 static int smack_syslog(int typefrom_file) 520 { 521 int rc = 0; 522 struct smack_known *skp = smk_of_current(); 523 524 if (smack_privileged(CAP_MAC_OVERRIDE)) 525 return 0; 526 527 if (smack_syslog_label != NULL && smack_syslog_label != skp) 528 rc = -EACCES; 529 530 return rc; 531 } 532 533 /* 534 * Superblock Hooks. 535 */ 536 537 /** 538 * smack_sb_alloc_security - allocate a superblock blob 539 * @sb: the superblock getting the blob 540 * 541 * Returns 0 on success or -ENOMEM on error. 542 */ 543 static int smack_sb_alloc_security(struct super_block *sb) 544 { 545 struct superblock_smack *sbsp; 546 547 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 548 549 if (sbsp == NULL) 550 return -ENOMEM; 551 552 sbsp->smk_root = &smack_known_floor; 553 sbsp->smk_default = &smack_known_floor; 554 sbsp->smk_floor = &smack_known_floor; 555 sbsp->smk_hat = &smack_known_hat; 556 /* 557 * SMK_SB_INITIALIZED will be zero from kzalloc. 558 */ 559 sb->s_security = sbsp; 560 561 return 0; 562 } 563 564 /** 565 * smack_sb_free_security - free a superblock blob 566 * @sb: the superblock getting the blob 567 * 568 */ 569 static void smack_sb_free_security(struct super_block *sb) 570 { 571 kfree(sb->s_security); 572 sb->s_security = NULL; 573 } 574 575 struct smack_mnt_opts { 576 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 577 }; 578 579 static void smack_free_mnt_opts(void *mnt_opts) 580 { 581 struct smack_mnt_opts *opts = mnt_opts; 582 kfree(opts->fsdefault); 583 kfree(opts->fsfloor); 584 kfree(opts->fshat); 585 kfree(opts->fsroot); 586 kfree(opts->fstransmute); 587 kfree(opts); 588 } 589 590 static int smack_add_opt(int token, const char *s, void **mnt_opts) 591 { 592 struct smack_mnt_opts *opts = *mnt_opts; 593 594 if (!opts) { 595 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 596 if (!opts) 597 return -ENOMEM; 598 *mnt_opts = opts; 599 } 600 if (!s) 601 return -ENOMEM; 602 603 switch (token) { 604 case Opt_fsdefault: 605 if (opts->fsdefault) 606 goto out_opt_err; 607 opts->fsdefault = s; 608 break; 609 case Opt_fsfloor: 610 if (opts->fsfloor) 611 goto out_opt_err; 612 opts->fsfloor = s; 613 break; 614 case Opt_fshat: 615 if (opts->fshat) 616 goto out_opt_err; 617 opts->fshat = s; 618 break; 619 case Opt_fsroot: 620 if (opts->fsroot) 621 goto out_opt_err; 622 opts->fsroot = s; 623 break; 624 case Opt_fstransmute: 625 if (opts->fstransmute) 626 goto out_opt_err; 627 opts->fstransmute = s; 628 break; 629 } 630 return 0; 631 632 out_opt_err: 633 pr_warn("Smack: duplicate mount options\n"); 634 return -EINVAL; 635 } 636 637 /** 638 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 639 * @fc: The new filesystem context. 640 * @src_fc: The source filesystem context being duplicated. 641 * 642 * Returns 0 on success or -ENOMEM on error. 643 */ 644 static int smack_fs_context_dup(struct fs_context *fc, 645 struct fs_context *src_fc) 646 { 647 struct smack_mnt_opts *dst, *src = src_fc->security; 648 649 if (!src) 650 return 0; 651 652 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 653 if (!fc->security) 654 return -ENOMEM; 655 dst = fc->security; 656 657 if (src->fsdefault) { 658 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 659 if (!dst->fsdefault) 660 return -ENOMEM; 661 } 662 if (src->fsfloor) { 663 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 664 if (!dst->fsfloor) 665 return -ENOMEM; 666 } 667 if (src->fshat) { 668 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 669 if (!dst->fshat) 670 return -ENOMEM; 671 } 672 if (src->fsroot) { 673 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 674 if (!dst->fsroot) 675 return -ENOMEM; 676 } 677 if (src->fstransmute) { 678 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 679 if (!dst->fstransmute) 680 return -ENOMEM; 681 } 682 return 0; 683 } 684 685 static const struct fs_parameter_spec smack_param_specs[] = { 686 fsparam_string("smackfsdef", Opt_fsdefault), 687 fsparam_string("smackfsdefault", Opt_fsdefault), 688 fsparam_string("smackfsfloor", Opt_fsfloor), 689 fsparam_string("smackfshat", Opt_fshat), 690 fsparam_string("smackfsroot", Opt_fsroot), 691 fsparam_string("smackfstransmute", Opt_fstransmute), 692 {} 693 }; 694 695 static const struct fs_parameter_description smack_fs_parameters = { 696 .name = "smack", 697 .specs = smack_param_specs, 698 }; 699 700 /** 701 * smack_fs_context_parse_param - Parse a single mount parameter 702 * @fc: The new filesystem context being constructed. 703 * @param: The parameter. 704 * 705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 706 * error. 707 */ 708 static int smack_fs_context_parse_param(struct fs_context *fc, 709 struct fs_parameter *param) 710 { 711 struct fs_parse_result result; 712 int opt, rc; 713 714 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 715 if (opt < 0) 716 return opt; 717 718 rc = smack_add_opt(opt, param->string, &fc->security); 719 if (!rc) 720 param->string = NULL; 721 return rc; 722 } 723 724 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 725 { 726 char *from = options, *to = options; 727 bool first = true; 728 729 while (1) { 730 char *next = strchr(from, ','); 731 int token, len, rc; 732 char *arg = NULL; 733 734 if (next) 735 len = next - from; 736 else 737 len = strlen(from); 738 739 token = match_opt_prefix(from, len, &arg); 740 if (token != Opt_error) { 741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 742 rc = smack_add_opt(token, arg, mnt_opts); 743 if (unlikely(rc)) { 744 kfree(arg); 745 if (*mnt_opts) 746 smack_free_mnt_opts(*mnt_opts); 747 *mnt_opts = NULL; 748 return rc; 749 } 750 } else { 751 if (!first) { // copy with preceding comma 752 from--; 753 len++; 754 } 755 if (to != from) 756 memmove(to, from, len); 757 to += len; 758 first = false; 759 } 760 if (!from[len]) 761 break; 762 from += len + 1; 763 } 764 *to = '\0'; 765 return 0; 766 } 767 768 /** 769 * smack_set_mnt_opts - set Smack specific mount options 770 * @sb: the file system superblock 771 * @opts: Smack mount options 772 * @kern_flags: mount option from kernel space or user space 773 * @set_kern_flags: where to store converted mount opts 774 * 775 * Returns 0 on success, an error code on failure 776 * 777 * Allow filesystems with binary mount data to explicitly set Smack mount 778 * labels. 779 */ 780 static int smack_set_mnt_opts(struct super_block *sb, 781 void *mnt_opts, 782 unsigned long kern_flags, 783 unsigned long *set_kern_flags) 784 { 785 struct dentry *root = sb->s_root; 786 struct inode *inode = d_backing_inode(root); 787 struct superblock_smack *sp = sb->s_security; 788 struct inode_smack *isp; 789 struct smack_known *skp; 790 struct smack_mnt_opts *opts = mnt_opts; 791 bool transmute = false; 792 793 if (sp->smk_flags & SMK_SB_INITIALIZED) 794 return 0; 795 796 if (inode->i_security == NULL) { 797 int rc = lsm_inode_alloc(inode); 798 799 if (rc) 800 return rc; 801 } 802 803 if (!smack_privileged(CAP_MAC_ADMIN)) { 804 /* 805 * Unprivileged mounts don't get to specify Smack values. 806 */ 807 if (opts) 808 return -EPERM; 809 /* 810 * Unprivileged mounts get root and default from the caller. 811 */ 812 skp = smk_of_current(); 813 sp->smk_root = skp; 814 sp->smk_default = skp; 815 /* 816 * For a handful of fs types with no user-controlled 817 * backing store it's okay to trust security labels 818 * in the filesystem. The rest are untrusted. 819 */ 820 if (sb->s_user_ns != &init_user_ns && 821 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 822 sb->s_magic != RAMFS_MAGIC) { 823 transmute = true; 824 sp->smk_flags |= SMK_SB_UNTRUSTED; 825 } 826 } 827 828 sp->smk_flags |= SMK_SB_INITIALIZED; 829 830 if (opts) { 831 if (opts->fsdefault) { 832 skp = smk_import_entry(opts->fsdefault, 0); 833 if (IS_ERR(skp)) 834 return PTR_ERR(skp); 835 sp->smk_default = skp; 836 } 837 if (opts->fsfloor) { 838 skp = smk_import_entry(opts->fsfloor, 0); 839 if (IS_ERR(skp)) 840 return PTR_ERR(skp); 841 sp->smk_floor = skp; 842 } 843 if (opts->fshat) { 844 skp = smk_import_entry(opts->fshat, 0); 845 if (IS_ERR(skp)) 846 return PTR_ERR(skp); 847 sp->smk_hat = skp; 848 } 849 if (opts->fsroot) { 850 skp = smk_import_entry(opts->fsroot, 0); 851 if (IS_ERR(skp)) 852 return PTR_ERR(skp); 853 sp->smk_root = skp; 854 } 855 if (opts->fstransmute) { 856 skp = smk_import_entry(opts->fstransmute, 0); 857 if (IS_ERR(skp)) 858 return PTR_ERR(skp); 859 sp->smk_root = skp; 860 transmute = true; 861 } 862 } 863 864 /* 865 * Initialize the root inode. 866 */ 867 init_inode_smack(inode, sp->smk_root); 868 869 if (transmute) { 870 isp = smack_inode(inode); 871 isp->smk_flags |= SMK_INODE_TRANSMUTE; 872 } 873 874 return 0; 875 } 876 877 /** 878 * smack_sb_statfs - Smack check on statfs 879 * @dentry: identifies the file system in question 880 * 881 * Returns 0 if current can read the floor of the filesystem, 882 * and error code otherwise 883 */ 884 static int smack_sb_statfs(struct dentry *dentry) 885 { 886 struct superblock_smack *sbp = dentry->d_sb->s_security; 887 int rc; 888 struct smk_audit_info ad; 889 890 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 891 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 892 893 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 894 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 895 return rc; 896 } 897 898 /* 899 * BPRM hooks 900 */ 901 902 /** 903 * smack_bprm_set_creds - set creds for exec 904 * @bprm: the exec information 905 * 906 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 907 */ 908 static int smack_bprm_set_creds(struct linux_binprm *bprm) 909 { 910 struct inode *inode = file_inode(bprm->file); 911 struct task_smack *bsp = smack_cred(bprm->cred); 912 struct inode_smack *isp; 913 struct superblock_smack *sbsp; 914 int rc; 915 916 if (bprm->called_set_creds) 917 return 0; 918 919 isp = smack_inode(inode); 920 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 921 return 0; 922 923 sbsp = inode->i_sb->s_security; 924 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 925 isp->smk_task != sbsp->smk_root) 926 return 0; 927 928 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 929 struct task_struct *tracer; 930 rc = 0; 931 932 rcu_read_lock(); 933 tracer = ptrace_parent(current); 934 if (likely(tracer != NULL)) 935 rc = smk_ptrace_rule_check(tracer, 936 isp->smk_task, 937 PTRACE_MODE_ATTACH, 938 __func__); 939 rcu_read_unlock(); 940 941 if (rc != 0) 942 return rc; 943 } else if (bprm->unsafe) 944 return -EPERM; 945 946 bsp->smk_task = isp->smk_task; 947 bprm->per_clear |= PER_CLEAR_ON_SETID; 948 949 /* Decide if this is a secure exec. */ 950 if (bsp->smk_task != bsp->smk_forked) 951 bprm->secureexec = 1; 952 953 return 0; 954 } 955 956 /* 957 * Inode hooks 958 */ 959 960 /** 961 * smack_inode_alloc_security - allocate an inode blob 962 * @inode: the inode in need of a blob 963 * 964 * Returns 0 if it gets a blob, -ENOMEM otherwise 965 */ 966 static int smack_inode_alloc_security(struct inode *inode) 967 { 968 struct smack_known *skp = smk_of_current(); 969 970 init_inode_smack(inode, skp); 971 return 0; 972 } 973 974 /** 975 * smack_inode_init_security - copy out the smack from an inode 976 * @inode: the newly created inode 977 * @dir: containing directory object 978 * @qstr: unused 979 * @name: where to put the attribute name 980 * @value: where to put the attribute value 981 * @len: where to put the length of the attribute 982 * 983 * Returns 0 if it all works out, -ENOMEM if there's no memory 984 */ 985 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 986 const struct qstr *qstr, const char **name, 987 void **value, size_t *len) 988 { 989 struct inode_smack *issp = smack_inode(inode); 990 struct smack_known *skp = smk_of_current(); 991 struct smack_known *isp = smk_of_inode(inode); 992 struct smack_known *dsp = smk_of_inode(dir); 993 int may; 994 995 if (name) 996 *name = XATTR_SMACK_SUFFIX; 997 998 if (value && len) { 999 rcu_read_lock(); 1000 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1001 &skp->smk_rules); 1002 rcu_read_unlock(); 1003 1004 /* 1005 * If the access rule allows transmutation and 1006 * the directory requests transmutation then 1007 * by all means transmute. 1008 * Mark the inode as changed. 1009 */ 1010 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1011 smk_inode_transmutable(dir)) { 1012 isp = dsp; 1013 issp->smk_flags |= SMK_INODE_CHANGED; 1014 } 1015 1016 *value = kstrdup(isp->smk_known, GFP_NOFS); 1017 if (*value == NULL) 1018 return -ENOMEM; 1019 1020 *len = strlen(isp->smk_known); 1021 } 1022 1023 return 0; 1024 } 1025 1026 /** 1027 * smack_inode_link - Smack check on link 1028 * @old_dentry: the existing object 1029 * @dir: unused 1030 * @new_dentry: the new object 1031 * 1032 * Returns 0 if access is permitted, an error code otherwise 1033 */ 1034 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1035 struct dentry *new_dentry) 1036 { 1037 struct smack_known *isp; 1038 struct smk_audit_info ad; 1039 int rc; 1040 1041 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1042 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1043 1044 isp = smk_of_inode(d_backing_inode(old_dentry)); 1045 rc = smk_curacc(isp, MAY_WRITE, &ad); 1046 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1047 1048 if (rc == 0 && d_is_positive(new_dentry)) { 1049 isp = smk_of_inode(d_backing_inode(new_dentry)); 1050 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1051 rc = smk_curacc(isp, MAY_WRITE, &ad); 1052 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1053 } 1054 1055 return rc; 1056 } 1057 1058 /** 1059 * smack_inode_unlink - Smack check on inode deletion 1060 * @dir: containing directory object 1061 * @dentry: file to unlink 1062 * 1063 * Returns 0 if current can write the containing directory 1064 * and the object, error code otherwise 1065 */ 1066 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1067 { 1068 struct inode *ip = d_backing_inode(dentry); 1069 struct smk_audit_info ad; 1070 int rc; 1071 1072 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1073 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1074 1075 /* 1076 * You need write access to the thing you're unlinking 1077 */ 1078 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1079 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1080 if (rc == 0) { 1081 /* 1082 * You also need write access to the containing directory 1083 */ 1084 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1085 smk_ad_setfield_u_fs_inode(&ad, dir); 1086 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1087 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1088 } 1089 return rc; 1090 } 1091 1092 /** 1093 * smack_inode_rmdir - Smack check on directory deletion 1094 * @dir: containing directory object 1095 * @dentry: directory to unlink 1096 * 1097 * Returns 0 if current can write the containing directory 1098 * and the directory, error code otherwise 1099 */ 1100 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1101 { 1102 struct smk_audit_info ad; 1103 int rc; 1104 1105 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1106 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1107 1108 /* 1109 * You need write access to the thing you're removing 1110 */ 1111 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1112 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1113 if (rc == 0) { 1114 /* 1115 * You also need write access to the containing directory 1116 */ 1117 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1118 smk_ad_setfield_u_fs_inode(&ad, dir); 1119 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1120 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1121 } 1122 1123 return rc; 1124 } 1125 1126 /** 1127 * smack_inode_rename - Smack check on rename 1128 * @old_inode: unused 1129 * @old_dentry: the old object 1130 * @new_inode: unused 1131 * @new_dentry: the new object 1132 * 1133 * Read and write access is required on both the old and 1134 * new directories. 1135 * 1136 * Returns 0 if access is permitted, an error code otherwise 1137 */ 1138 static int smack_inode_rename(struct inode *old_inode, 1139 struct dentry *old_dentry, 1140 struct inode *new_inode, 1141 struct dentry *new_dentry) 1142 { 1143 int rc; 1144 struct smack_known *isp; 1145 struct smk_audit_info ad; 1146 1147 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1148 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1149 1150 isp = smk_of_inode(d_backing_inode(old_dentry)); 1151 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1152 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1153 1154 if (rc == 0 && d_is_positive(new_dentry)) { 1155 isp = smk_of_inode(d_backing_inode(new_dentry)); 1156 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1157 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1158 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1159 } 1160 return rc; 1161 } 1162 1163 /** 1164 * smack_inode_permission - Smack version of permission() 1165 * @inode: the inode in question 1166 * @mask: the access requested 1167 * 1168 * This is the important Smack hook. 1169 * 1170 * Returns 0 if access is permitted, -EACCES otherwise 1171 */ 1172 static int smack_inode_permission(struct inode *inode, int mask) 1173 { 1174 struct superblock_smack *sbsp = inode->i_sb->s_security; 1175 struct smk_audit_info ad; 1176 int no_block = mask & MAY_NOT_BLOCK; 1177 int rc; 1178 1179 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1180 /* 1181 * No permission to check. Existence test. Yup, it's there. 1182 */ 1183 if (mask == 0) 1184 return 0; 1185 1186 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1187 if (smk_of_inode(inode) != sbsp->smk_root) 1188 return -EACCES; 1189 } 1190 1191 /* May be droppable after audit */ 1192 if (no_block) 1193 return -ECHILD; 1194 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1195 smk_ad_setfield_u_fs_inode(&ad, inode); 1196 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1197 rc = smk_bu_inode(inode, mask, rc); 1198 return rc; 1199 } 1200 1201 /** 1202 * smack_inode_setattr - Smack check for setting attributes 1203 * @dentry: the object 1204 * @iattr: for the force flag 1205 * 1206 * Returns 0 if access is permitted, an error code otherwise 1207 */ 1208 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1209 { 1210 struct smk_audit_info ad; 1211 int rc; 1212 1213 /* 1214 * Need to allow for clearing the setuid bit. 1215 */ 1216 if (iattr->ia_valid & ATTR_FORCE) 1217 return 0; 1218 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1219 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1220 1221 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1222 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1223 return rc; 1224 } 1225 1226 /** 1227 * smack_inode_getattr - Smack check for getting attributes 1228 * @mnt: vfsmount of the object 1229 * @dentry: the object 1230 * 1231 * Returns 0 if access is permitted, an error code otherwise 1232 */ 1233 static int smack_inode_getattr(const struct path *path) 1234 { 1235 struct smk_audit_info ad; 1236 struct inode *inode = d_backing_inode(path->dentry); 1237 int rc; 1238 1239 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1240 smk_ad_setfield_u_fs_path(&ad, *path); 1241 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1242 rc = smk_bu_inode(inode, MAY_READ, rc); 1243 return rc; 1244 } 1245 1246 /** 1247 * smack_inode_setxattr - Smack check for setting xattrs 1248 * @dentry: the object 1249 * @name: name of the attribute 1250 * @value: value of the attribute 1251 * @size: size of the value 1252 * @flags: unused 1253 * 1254 * This protects the Smack attribute explicitly. 1255 * 1256 * Returns 0 if access is permitted, an error code otherwise 1257 */ 1258 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1259 const void *value, size_t size, int flags) 1260 { 1261 struct smk_audit_info ad; 1262 struct smack_known *skp; 1263 int check_priv = 0; 1264 int check_import = 0; 1265 int check_star = 0; 1266 int rc = 0; 1267 1268 /* 1269 * Check label validity here so import won't fail in post_setxattr 1270 */ 1271 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1272 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1273 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1274 check_priv = 1; 1275 check_import = 1; 1276 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1277 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1278 check_priv = 1; 1279 check_import = 1; 1280 check_star = 1; 1281 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1282 check_priv = 1; 1283 if (size != TRANS_TRUE_SIZE || 1284 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1285 rc = -EINVAL; 1286 } else 1287 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1288 1289 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1290 rc = -EPERM; 1291 1292 if (rc == 0 && check_import) { 1293 skp = size ? smk_import_entry(value, size) : NULL; 1294 if (IS_ERR(skp)) 1295 rc = PTR_ERR(skp); 1296 else if (skp == NULL || (check_star && 1297 (skp == &smack_known_star || skp == &smack_known_web))) 1298 rc = -EINVAL; 1299 } 1300 1301 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1302 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1303 1304 if (rc == 0) { 1305 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1306 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1307 } 1308 1309 return rc; 1310 } 1311 1312 /** 1313 * smack_inode_post_setxattr - Apply the Smack update approved above 1314 * @dentry: object 1315 * @name: attribute name 1316 * @value: attribute value 1317 * @size: attribute size 1318 * @flags: unused 1319 * 1320 * Set the pointer in the inode blob to the entry found 1321 * in the master label list. 1322 */ 1323 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1324 const void *value, size_t size, int flags) 1325 { 1326 struct smack_known *skp; 1327 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1328 1329 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1330 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1331 return; 1332 } 1333 1334 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1335 skp = smk_import_entry(value, size); 1336 if (!IS_ERR(skp)) 1337 isp->smk_inode = skp; 1338 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1339 skp = smk_import_entry(value, size); 1340 if (!IS_ERR(skp)) 1341 isp->smk_task = skp; 1342 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1343 skp = smk_import_entry(value, size); 1344 if (!IS_ERR(skp)) 1345 isp->smk_mmap = skp; 1346 } 1347 1348 return; 1349 } 1350 1351 /** 1352 * smack_inode_getxattr - Smack check on getxattr 1353 * @dentry: the object 1354 * @name: unused 1355 * 1356 * Returns 0 if access is permitted, an error code otherwise 1357 */ 1358 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1359 { 1360 struct smk_audit_info ad; 1361 int rc; 1362 1363 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1364 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1365 1366 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1367 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1368 return rc; 1369 } 1370 1371 /** 1372 * smack_inode_removexattr - Smack check on removexattr 1373 * @dentry: the object 1374 * @name: name of the attribute 1375 * 1376 * Removing the Smack attribute requires CAP_MAC_ADMIN 1377 * 1378 * Returns 0 if access is permitted, an error code otherwise 1379 */ 1380 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1381 { 1382 struct inode_smack *isp; 1383 struct smk_audit_info ad; 1384 int rc = 0; 1385 1386 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1388 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1389 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1390 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1391 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1392 if (!smack_privileged(CAP_MAC_ADMIN)) 1393 rc = -EPERM; 1394 } else 1395 rc = cap_inode_removexattr(dentry, name); 1396 1397 if (rc != 0) 1398 return rc; 1399 1400 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1401 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1402 1403 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1404 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1405 if (rc != 0) 1406 return rc; 1407 1408 isp = smack_inode(d_backing_inode(dentry)); 1409 /* 1410 * Don't do anything special for these. 1411 * XATTR_NAME_SMACKIPIN 1412 * XATTR_NAME_SMACKIPOUT 1413 */ 1414 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1415 struct super_block *sbp = dentry->d_sb; 1416 struct superblock_smack *sbsp = sbp->s_security; 1417 1418 isp->smk_inode = sbsp->smk_default; 1419 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1420 isp->smk_task = NULL; 1421 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1422 isp->smk_mmap = NULL; 1423 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1424 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1425 1426 return 0; 1427 } 1428 1429 /** 1430 * smack_inode_getsecurity - get smack xattrs 1431 * @inode: the object 1432 * @name: attribute name 1433 * @buffer: where to put the result 1434 * @alloc: duplicate memory 1435 * 1436 * Returns the size of the attribute or an error code 1437 */ 1438 static int smack_inode_getsecurity(struct inode *inode, 1439 const char *name, void **buffer, 1440 bool alloc) 1441 { 1442 struct socket_smack *ssp; 1443 struct socket *sock; 1444 struct super_block *sbp; 1445 struct inode *ip = (struct inode *)inode; 1446 struct smack_known *isp; 1447 1448 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1449 isp = smk_of_inode(inode); 1450 else { 1451 /* 1452 * The rest of the Smack xattrs are only on sockets. 1453 */ 1454 sbp = ip->i_sb; 1455 if (sbp->s_magic != SOCKFS_MAGIC) 1456 return -EOPNOTSUPP; 1457 1458 sock = SOCKET_I(ip); 1459 if (sock == NULL || sock->sk == NULL) 1460 return -EOPNOTSUPP; 1461 1462 ssp = sock->sk->sk_security; 1463 1464 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1465 isp = ssp->smk_in; 1466 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1467 isp = ssp->smk_out; 1468 else 1469 return -EOPNOTSUPP; 1470 } 1471 1472 if (alloc) { 1473 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1474 if (*buffer == NULL) 1475 return -ENOMEM; 1476 } 1477 1478 return strlen(isp->smk_known); 1479 } 1480 1481 1482 /** 1483 * smack_inode_listsecurity - list the Smack attributes 1484 * @inode: the object 1485 * @buffer: where they go 1486 * @buffer_size: size of buffer 1487 */ 1488 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1489 size_t buffer_size) 1490 { 1491 int len = sizeof(XATTR_NAME_SMACK); 1492 1493 if (buffer != NULL && len <= buffer_size) 1494 memcpy(buffer, XATTR_NAME_SMACK, len); 1495 1496 return len; 1497 } 1498 1499 /** 1500 * smack_inode_getsecid - Extract inode's security id 1501 * @inode: inode to extract the info from 1502 * @secid: where result will be saved 1503 */ 1504 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1505 { 1506 struct smack_known *skp = smk_of_inode(inode); 1507 1508 *secid = skp->smk_secid; 1509 } 1510 1511 /* 1512 * File Hooks 1513 */ 1514 1515 /* 1516 * There is no smack_file_permission hook 1517 * 1518 * Should access checks be done on each read or write? 1519 * UNICOS and SELinux say yes. 1520 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1521 * 1522 * I'll say no for now. Smack does not do the frequent 1523 * label changing that SELinux does. 1524 */ 1525 1526 /** 1527 * smack_file_alloc_security - assign a file security blob 1528 * @file: the object 1529 * 1530 * The security blob for a file is a pointer to the master 1531 * label list, so no allocation is done. 1532 * 1533 * f_security is the owner security information. It 1534 * isn't used on file access checks, it's for send_sigio. 1535 * 1536 * Returns 0 1537 */ 1538 static int smack_file_alloc_security(struct file *file) 1539 { 1540 struct smack_known **blob = smack_file(file); 1541 1542 *blob = smk_of_current(); 1543 return 0; 1544 } 1545 1546 /** 1547 * smack_file_ioctl - Smack check on ioctls 1548 * @file: the object 1549 * @cmd: what to do 1550 * @arg: unused 1551 * 1552 * Relies heavily on the correct use of the ioctl command conventions. 1553 * 1554 * Returns 0 if allowed, error code otherwise 1555 */ 1556 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1557 unsigned long arg) 1558 { 1559 int rc = 0; 1560 struct smk_audit_info ad; 1561 struct inode *inode = file_inode(file); 1562 1563 if (unlikely(IS_PRIVATE(inode))) 1564 return 0; 1565 1566 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1567 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1568 1569 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1570 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1571 rc = smk_bu_file(file, MAY_WRITE, rc); 1572 } 1573 1574 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1575 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1576 rc = smk_bu_file(file, MAY_READ, rc); 1577 } 1578 1579 return rc; 1580 } 1581 1582 /** 1583 * smack_file_lock - Smack check on file locking 1584 * @file: the object 1585 * @cmd: unused 1586 * 1587 * Returns 0 if current has lock access, error code otherwise 1588 */ 1589 static int smack_file_lock(struct file *file, unsigned int cmd) 1590 { 1591 struct smk_audit_info ad; 1592 int rc; 1593 struct inode *inode = file_inode(file); 1594 1595 if (unlikely(IS_PRIVATE(inode))) 1596 return 0; 1597 1598 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1599 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1600 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1601 rc = smk_bu_file(file, MAY_LOCK, rc); 1602 return rc; 1603 } 1604 1605 /** 1606 * smack_file_fcntl - Smack check on fcntl 1607 * @file: the object 1608 * @cmd: what action to check 1609 * @arg: unused 1610 * 1611 * Generally these operations are harmless. 1612 * File locking operations present an obvious mechanism 1613 * for passing information, so they require write access. 1614 * 1615 * Returns 0 if current has access, error code otherwise 1616 */ 1617 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1618 unsigned long arg) 1619 { 1620 struct smk_audit_info ad; 1621 int rc = 0; 1622 struct inode *inode = file_inode(file); 1623 1624 if (unlikely(IS_PRIVATE(inode))) 1625 return 0; 1626 1627 switch (cmd) { 1628 case F_GETLK: 1629 break; 1630 case F_SETLK: 1631 case F_SETLKW: 1632 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1633 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1634 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1635 rc = smk_bu_file(file, MAY_LOCK, rc); 1636 break; 1637 case F_SETOWN: 1638 case F_SETSIG: 1639 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1640 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1641 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1642 rc = smk_bu_file(file, MAY_WRITE, rc); 1643 break; 1644 default: 1645 break; 1646 } 1647 1648 return rc; 1649 } 1650 1651 /** 1652 * smack_mmap_file : 1653 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1654 * if mapping anonymous memory. 1655 * @file contains the file structure for file to map (may be NULL). 1656 * @reqprot contains the protection requested by the application. 1657 * @prot contains the protection that will be applied by the kernel. 1658 * @flags contains the operational flags. 1659 * Return 0 if permission is granted. 1660 */ 1661 static int smack_mmap_file(struct file *file, 1662 unsigned long reqprot, unsigned long prot, 1663 unsigned long flags) 1664 { 1665 struct smack_known *skp; 1666 struct smack_known *mkp; 1667 struct smack_rule *srp; 1668 struct task_smack *tsp; 1669 struct smack_known *okp; 1670 struct inode_smack *isp; 1671 struct superblock_smack *sbsp; 1672 int may; 1673 int mmay; 1674 int tmay; 1675 int rc; 1676 1677 if (file == NULL) 1678 return 0; 1679 1680 if (unlikely(IS_PRIVATE(file_inode(file)))) 1681 return 0; 1682 1683 isp = smack_inode(file_inode(file)); 1684 if (isp->smk_mmap == NULL) 1685 return 0; 1686 sbsp = file_inode(file)->i_sb->s_security; 1687 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1688 isp->smk_mmap != sbsp->smk_root) 1689 return -EACCES; 1690 mkp = isp->smk_mmap; 1691 1692 tsp = smack_cred(current_cred()); 1693 skp = smk_of_current(); 1694 rc = 0; 1695 1696 rcu_read_lock(); 1697 /* 1698 * For each Smack rule associated with the subject 1699 * label verify that the SMACK64MMAP also has access 1700 * to that rule's object label. 1701 */ 1702 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1703 okp = srp->smk_object; 1704 /* 1705 * Matching labels always allows access. 1706 */ 1707 if (mkp->smk_known == okp->smk_known) 1708 continue; 1709 /* 1710 * If there is a matching local rule take 1711 * that into account as well. 1712 */ 1713 may = smk_access_entry(srp->smk_subject->smk_known, 1714 okp->smk_known, 1715 &tsp->smk_rules); 1716 if (may == -ENOENT) 1717 may = srp->smk_access; 1718 else 1719 may &= srp->smk_access; 1720 /* 1721 * If may is zero the SMACK64MMAP subject can't 1722 * possibly have less access. 1723 */ 1724 if (may == 0) 1725 continue; 1726 1727 /* 1728 * Fetch the global list entry. 1729 * If there isn't one a SMACK64MMAP subject 1730 * can't have as much access as current. 1731 */ 1732 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1733 &mkp->smk_rules); 1734 if (mmay == -ENOENT) { 1735 rc = -EACCES; 1736 break; 1737 } 1738 /* 1739 * If there is a local entry it modifies the 1740 * potential access, too. 1741 */ 1742 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1743 &tsp->smk_rules); 1744 if (tmay != -ENOENT) 1745 mmay &= tmay; 1746 1747 /* 1748 * If there is any access available to current that is 1749 * not available to a SMACK64MMAP subject 1750 * deny access. 1751 */ 1752 if ((may | mmay) != mmay) { 1753 rc = -EACCES; 1754 break; 1755 } 1756 } 1757 1758 rcu_read_unlock(); 1759 1760 return rc; 1761 } 1762 1763 /** 1764 * smack_file_set_fowner - set the file security blob value 1765 * @file: object in question 1766 * 1767 */ 1768 static void smack_file_set_fowner(struct file *file) 1769 { 1770 struct smack_known **blob = smack_file(file); 1771 1772 *blob = smk_of_current(); 1773 } 1774 1775 /** 1776 * smack_file_send_sigiotask - Smack on sigio 1777 * @tsk: The target task 1778 * @fown: the object the signal come from 1779 * @signum: unused 1780 * 1781 * Allow a privileged task to get signals even if it shouldn't 1782 * 1783 * Returns 0 if a subject with the object's smack could 1784 * write to the task, an error code otherwise. 1785 */ 1786 static int smack_file_send_sigiotask(struct task_struct *tsk, 1787 struct fown_struct *fown, int signum) 1788 { 1789 struct smack_known **blob; 1790 struct smack_known *skp; 1791 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1792 const struct cred *tcred; 1793 struct file *file; 1794 int rc; 1795 struct smk_audit_info ad; 1796 1797 /* 1798 * struct fown_struct is never outside the context of a struct file 1799 */ 1800 file = container_of(fown, struct file, f_owner); 1801 1802 /* we don't log here as rc can be overriden */ 1803 blob = smack_file(file); 1804 skp = *blob; 1805 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1806 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1807 1808 rcu_read_lock(); 1809 tcred = __task_cred(tsk); 1810 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1811 rc = 0; 1812 rcu_read_unlock(); 1813 1814 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1815 smk_ad_setfield_u_tsk(&ad, tsk); 1816 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1817 return rc; 1818 } 1819 1820 /** 1821 * smack_file_receive - Smack file receive check 1822 * @file: the object 1823 * 1824 * Returns 0 if current has access, error code otherwise 1825 */ 1826 static int smack_file_receive(struct file *file) 1827 { 1828 int rc; 1829 int may = 0; 1830 struct smk_audit_info ad; 1831 struct inode *inode = file_inode(file); 1832 struct socket *sock; 1833 struct task_smack *tsp; 1834 struct socket_smack *ssp; 1835 1836 if (unlikely(IS_PRIVATE(inode))) 1837 return 0; 1838 1839 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1840 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1841 1842 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1843 sock = SOCKET_I(inode); 1844 ssp = sock->sk->sk_security; 1845 tsp = smack_cred(current_cred()); 1846 /* 1847 * If the receiving process can't write to the 1848 * passed socket or if the passed socket can't 1849 * write to the receiving process don't accept 1850 * the passed socket. 1851 */ 1852 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1853 rc = smk_bu_file(file, may, rc); 1854 if (rc < 0) 1855 return rc; 1856 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1857 rc = smk_bu_file(file, may, rc); 1858 return rc; 1859 } 1860 /* 1861 * This code relies on bitmasks. 1862 */ 1863 if (file->f_mode & FMODE_READ) 1864 may = MAY_READ; 1865 if (file->f_mode & FMODE_WRITE) 1866 may |= MAY_WRITE; 1867 1868 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1869 rc = smk_bu_file(file, may, rc); 1870 return rc; 1871 } 1872 1873 /** 1874 * smack_file_open - Smack dentry open processing 1875 * @file: the object 1876 * @cred: task credential 1877 * 1878 * Set the security blob in the file structure. 1879 * Allow the open only if the task has read access. There are 1880 * many read operations (e.g. fstat) that you can do with an 1881 * fd even if you have the file open write-only. 1882 * 1883 * Returns 0 1884 */ 1885 static int smack_file_open(struct file *file) 1886 { 1887 struct task_smack *tsp = smack_cred(file->f_cred); 1888 struct inode *inode = file_inode(file); 1889 struct smk_audit_info ad; 1890 int rc; 1891 1892 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1893 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1894 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1895 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1896 1897 return rc; 1898 } 1899 1900 /* 1901 * Task hooks 1902 */ 1903 1904 /** 1905 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1906 * @new: the new credentials 1907 * @gfp: the atomicity of any memory allocations 1908 * 1909 * Prepare a blank set of credentials for modification. This must allocate all 1910 * the memory the LSM module might require such that cred_transfer() can 1911 * complete without error. 1912 */ 1913 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1914 { 1915 init_task_smack(smack_cred(cred), NULL, NULL); 1916 return 0; 1917 } 1918 1919 1920 /** 1921 * smack_cred_free - "free" task-level security credentials 1922 * @cred: the credentials in question 1923 * 1924 */ 1925 static void smack_cred_free(struct cred *cred) 1926 { 1927 struct task_smack *tsp = smack_cred(cred); 1928 struct smack_rule *rp; 1929 struct list_head *l; 1930 struct list_head *n; 1931 1932 smk_destroy_label_list(&tsp->smk_relabel); 1933 1934 list_for_each_safe(l, n, &tsp->smk_rules) { 1935 rp = list_entry(l, struct smack_rule, list); 1936 list_del(&rp->list); 1937 kmem_cache_free(smack_rule_cache, rp); 1938 } 1939 } 1940 1941 /** 1942 * smack_cred_prepare - prepare new set of credentials for modification 1943 * @new: the new credentials 1944 * @old: the original credentials 1945 * @gfp: the atomicity of any memory allocations 1946 * 1947 * Prepare a new set of credentials for modification. 1948 */ 1949 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1950 gfp_t gfp) 1951 { 1952 struct task_smack *old_tsp = smack_cred(old); 1953 struct task_smack *new_tsp = smack_cred(new); 1954 int rc; 1955 1956 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1957 1958 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1959 if (rc != 0) 1960 return rc; 1961 1962 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1963 gfp); 1964 return rc; 1965 } 1966 1967 /** 1968 * smack_cred_transfer - Transfer the old credentials to the new credentials 1969 * @new: the new credentials 1970 * @old: the original credentials 1971 * 1972 * Fill in a set of blank credentials from another set of credentials. 1973 */ 1974 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1975 { 1976 struct task_smack *old_tsp = smack_cred(old); 1977 struct task_smack *new_tsp = smack_cred(new); 1978 1979 new_tsp->smk_task = old_tsp->smk_task; 1980 new_tsp->smk_forked = old_tsp->smk_task; 1981 mutex_init(&new_tsp->smk_rules_lock); 1982 INIT_LIST_HEAD(&new_tsp->smk_rules); 1983 1984 /* cbs copy rule list */ 1985 } 1986 1987 /** 1988 * smack_cred_getsecid - get the secid corresponding to a creds structure 1989 * @c: the object creds 1990 * @secid: where to put the result 1991 * 1992 * Sets the secid to contain a u32 version of the smack label. 1993 */ 1994 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1995 { 1996 struct smack_known *skp; 1997 1998 rcu_read_lock(); 1999 skp = smk_of_task(smack_cred(cred)); 2000 *secid = skp->smk_secid; 2001 rcu_read_unlock(); 2002 } 2003 2004 /** 2005 * smack_kernel_act_as - Set the subjective context in a set of credentials 2006 * @new: points to the set of credentials to be modified. 2007 * @secid: specifies the security ID to be set 2008 * 2009 * Set the security data for a kernel service. 2010 */ 2011 static int smack_kernel_act_as(struct cred *new, u32 secid) 2012 { 2013 struct task_smack *new_tsp = smack_cred(new); 2014 2015 new_tsp->smk_task = smack_from_secid(secid); 2016 return 0; 2017 } 2018 2019 /** 2020 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2021 * @new: points to the set of credentials to be modified 2022 * @inode: points to the inode to use as a reference 2023 * 2024 * Set the file creation context in a set of credentials to the same 2025 * as the objective context of the specified inode 2026 */ 2027 static int smack_kernel_create_files_as(struct cred *new, 2028 struct inode *inode) 2029 { 2030 struct inode_smack *isp = smack_inode(inode); 2031 struct task_smack *tsp = smack_cred(new); 2032 2033 tsp->smk_forked = isp->smk_inode; 2034 tsp->smk_task = tsp->smk_forked; 2035 return 0; 2036 } 2037 2038 /** 2039 * smk_curacc_on_task - helper to log task related access 2040 * @p: the task object 2041 * @access: the access requested 2042 * @caller: name of the calling function for audit 2043 * 2044 * Return 0 if access is permitted 2045 */ 2046 static int smk_curacc_on_task(struct task_struct *p, int access, 2047 const char *caller) 2048 { 2049 struct smk_audit_info ad; 2050 struct smack_known *skp = smk_of_task_struct(p); 2051 int rc; 2052 2053 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2054 smk_ad_setfield_u_tsk(&ad, p); 2055 rc = smk_curacc(skp, access, &ad); 2056 rc = smk_bu_task(p, access, rc); 2057 return rc; 2058 } 2059 2060 /** 2061 * smack_task_setpgid - Smack check on setting pgid 2062 * @p: the task object 2063 * @pgid: unused 2064 * 2065 * Return 0 if write access is permitted 2066 */ 2067 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2068 { 2069 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2070 } 2071 2072 /** 2073 * smack_task_getpgid - Smack access check for getpgid 2074 * @p: the object task 2075 * 2076 * Returns 0 if current can read the object task, error code otherwise 2077 */ 2078 static int smack_task_getpgid(struct task_struct *p) 2079 { 2080 return smk_curacc_on_task(p, MAY_READ, __func__); 2081 } 2082 2083 /** 2084 * smack_task_getsid - Smack access check for getsid 2085 * @p: the object task 2086 * 2087 * Returns 0 if current can read the object task, error code otherwise 2088 */ 2089 static int smack_task_getsid(struct task_struct *p) 2090 { 2091 return smk_curacc_on_task(p, MAY_READ, __func__); 2092 } 2093 2094 /** 2095 * smack_task_getsecid - get the secid of the task 2096 * @p: the object task 2097 * @secid: where to put the result 2098 * 2099 * Sets the secid to contain a u32 version of the smack label. 2100 */ 2101 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2102 { 2103 struct smack_known *skp = smk_of_task_struct(p); 2104 2105 *secid = skp->smk_secid; 2106 } 2107 2108 /** 2109 * smack_task_setnice - Smack check on setting nice 2110 * @p: the task object 2111 * @nice: unused 2112 * 2113 * Return 0 if write access is permitted 2114 */ 2115 static int smack_task_setnice(struct task_struct *p, int nice) 2116 { 2117 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2118 } 2119 2120 /** 2121 * smack_task_setioprio - Smack check on setting ioprio 2122 * @p: the task object 2123 * @ioprio: unused 2124 * 2125 * Return 0 if write access is permitted 2126 */ 2127 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2128 { 2129 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2130 } 2131 2132 /** 2133 * smack_task_getioprio - Smack check on reading ioprio 2134 * @p: the task object 2135 * 2136 * Return 0 if read access is permitted 2137 */ 2138 static int smack_task_getioprio(struct task_struct *p) 2139 { 2140 return smk_curacc_on_task(p, MAY_READ, __func__); 2141 } 2142 2143 /** 2144 * smack_task_setscheduler - Smack check on setting scheduler 2145 * @p: the task object 2146 * @policy: unused 2147 * @lp: unused 2148 * 2149 * Return 0 if read access is permitted 2150 */ 2151 static int smack_task_setscheduler(struct task_struct *p) 2152 { 2153 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2154 } 2155 2156 /** 2157 * smack_task_getscheduler - Smack check on reading scheduler 2158 * @p: the task object 2159 * 2160 * Return 0 if read access is permitted 2161 */ 2162 static int smack_task_getscheduler(struct task_struct *p) 2163 { 2164 return smk_curacc_on_task(p, MAY_READ, __func__); 2165 } 2166 2167 /** 2168 * smack_task_movememory - Smack check on moving memory 2169 * @p: the task object 2170 * 2171 * Return 0 if write access is permitted 2172 */ 2173 static int smack_task_movememory(struct task_struct *p) 2174 { 2175 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2176 } 2177 2178 /** 2179 * smack_task_kill - Smack check on signal delivery 2180 * @p: the task object 2181 * @info: unused 2182 * @sig: unused 2183 * @cred: identifies the cred to use in lieu of current's 2184 * 2185 * Return 0 if write access is permitted 2186 * 2187 */ 2188 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2189 int sig, const struct cred *cred) 2190 { 2191 struct smk_audit_info ad; 2192 struct smack_known *skp; 2193 struct smack_known *tkp = smk_of_task_struct(p); 2194 int rc; 2195 2196 if (!sig) 2197 return 0; /* null signal; existence test */ 2198 2199 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2200 smk_ad_setfield_u_tsk(&ad, p); 2201 /* 2202 * Sending a signal requires that the sender 2203 * can write the receiver. 2204 */ 2205 if (cred == NULL) { 2206 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2207 rc = smk_bu_task(p, MAY_DELIVER, rc); 2208 return rc; 2209 } 2210 /* 2211 * If the cred isn't NULL we're dealing with some USB IO 2212 * specific behavior. This is not clean. For one thing 2213 * we can't take privilege into account. 2214 */ 2215 skp = smk_of_task(smack_cred(cred)); 2216 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2217 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2218 return rc; 2219 } 2220 2221 /** 2222 * smack_task_to_inode - copy task smack into the inode blob 2223 * @p: task to copy from 2224 * @inode: inode to copy to 2225 * 2226 * Sets the smack pointer in the inode security blob 2227 */ 2228 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2229 { 2230 struct inode_smack *isp = smack_inode(inode); 2231 struct smack_known *skp = smk_of_task_struct(p); 2232 2233 isp->smk_inode = skp; 2234 isp->smk_flags |= SMK_INODE_INSTANT; 2235 } 2236 2237 /* 2238 * Socket hooks. 2239 */ 2240 2241 /** 2242 * smack_sk_alloc_security - Allocate a socket blob 2243 * @sk: the socket 2244 * @family: unused 2245 * @gfp_flags: memory allocation flags 2246 * 2247 * Assign Smack pointers to current 2248 * 2249 * Returns 0 on success, -ENOMEM is there's no memory 2250 */ 2251 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2252 { 2253 struct smack_known *skp = smk_of_current(); 2254 struct socket_smack *ssp; 2255 2256 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2257 if (ssp == NULL) 2258 return -ENOMEM; 2259 2260 /* 2261 * Sockets created by kernel threads receive web label. 2262 */ 2263 if (unlikely(current->flags & PF_KTHREAD)) { 2264 ssp->smk_in = &smack_known_web; 2265 ssp->smk_out = &smack_known_web; 2266 } else { 2267 ssp->smk_in = skp; 2268 ssp->smk_out = skp; 2269 } 2270 ssp->smk_packet = NULL; 2271 2272 sk->sk_security = ssp; 2273 2274 return 0; 2275 } 2276 2277 /** 2278 * smack_sk_free_security - Free a socket blob 2279 * @sk: the socket 2280 * 2281 * Clears the blob pointer 2282 */ 2283 static void smack_sk_free_security(struct sock *sk) 2284 { 2285 #ifdef SMACK_IPV6_PORT_LABELING 2286 struct smk_port_label *spp; 2287 2288 if (sk->sk_family == PF_INET6) { 2289 rcu_read_lock(); 2290 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2291 if (spp->smk_sock != sk) 2292 continue; 2293 spp->smk_can_reuse = 1; 2294 break; 2295 } 2296 rcu_read_unlock(); 2297 } 2298 #endif 2299 kfree(sk->sk_security); 2300 } 2301 2302 /** 2303 * smack_ipv4host_label - check host based restrictions 2304 * @sip: the object end 2305 * 2306 * looks for host based access restrictions 2307 * 2308 * This version will only be appropriate for really small sets of single label 2309 * hosts. The caller is responsible for ensuring that the RCU read lock is 2310 * taken before calling this function. 2311 * 2312 * Returns the label of the far end or NULL if it's not special. 2313 */ 2314 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2315 { 2316 struct smk_net4addr *snp; 2317 struct in_addr *siap = &sip->sin_addr; 2318 2319 if (siap->s_addr == 0) 2320 return NULL; 2321 2322 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2323 /* 2324 * we break after finding the first match because 2325 * the list is sorted from longest to shortest mask 2326 * so we have found the most specific match 2327 */ 2328 if (snp->smk_host.s_addr == 2329 (siap->s_addr & snp->smk_mask.s_addr)) 2330 return snp->smk_label; 2331 2332 return NULL; 2333 } 2334 2335 #if IS_ENABLED(CONFIG_IPV6) 2336 /* 2337 * smk_ipv6_localhost - Check for local ipv6 host address 2338 * @sip: the address 2339 * 2340 * Returns boolean true if this is the localhost address 2341 */ 2342 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2343 { 2344 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2345 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2346 2347 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2348 ntohs(be16p[7]) == 1) 2349 return true; 2350 return false; 2351 } 2352 2353 /** 2354 * smack_ipv6host_label - check host based restrictions 2355 * @sip: the object end 2356 * 2357 * looks for host based access restrictions 2358 * 2359 * This version will only be appropriate for really small sets of single label 2360 * hosts. The caller is responsible for ensuring that the RCU read lock is 2361 * taken before calling this function. 2362 * 2363 * Returns the label of the far end or NULL if it's not special. 2364 */ 2365 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2366 { 2367 struct smk_net6addr *snp; 2368 struct in6_addr *sap = &sip->sin6_addr; 2369 int i; 2370 int found = 0; 2371 2372 /* 2373 * It's local. Don't look for a host label. 2374 */ 2375 if (smk_ipv6_localhost(sip)) 2376 return NULL; 2377 2378 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2379 /* 2380 * If the label is NULL the entry has 2381 * been renounced. Ignore it. 2382 */ 2383 if (snp->smk_label == NULL) 2384 continue; 2385 /* 2386 * we break after finding the first match because 2387 * the list is sorted from longest to shortest mask 2388 * so we have found the most specific match 2389 */ 2390 for (found = 1, i = 0; i < 8; i++) { 2391 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2392 snp->smk_host.s6_addr16[i]) { 2393 found = 0; 2394 break; 2395 } 2396 } 2397 if (found) 2398 return snp->smk_label; 2399 } 2400 2401 return NULL; 2402 } 2403 #endif /* CONFIG_IPV6 */ 2404 2405 /** 2406 * smack_netlabel - Set the secattr on a socket 2407 * @sk: the socket 2408 * @labeled: socket label scheme 2409 * 2410 * Convert the outbound smack value (smk_out) to a 2411 * secattr and attach it to the socket. 2412 * 2413 * Returns 0 on success or an error code 2414 */ 2415 static int smack_netlabel(struct sock *sk, int labeled) 2416 { 2417 struct smack_known *skp; 2418 struct socket_smack *ssp = sk->sk_security; 2419 int rc = 0; 2420 2421 /* 2422 * Usually the netlabel code will handle changing the 2423 * packet labeling based on the label. 2424 * The case of a single label host is different, because 2425 * a single label host should never get a labeled packet 2426 * even though the label is usually associated with a packet 2427 * label. 2428 */ 2429 local_bh_disable(); 2430 bh_lock_sock_nested(sk); 2431 2432 if (ssp->smk_out == smack_net_ambient || 2433 labeled == SMACK_UNLABELED_SOCKET) 2434 netlbl_sock_delattr(sk); 2435 else { 2436 skp = ssp->smk_out; 2437 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2438 } 2439 2440 bh_unlock_sock(sk); 2441 local_bh_enable(); 2442 2443 return rc; 2444 } 2445 2446 /** 2447 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2448 * @sk: the socket 2449 * @sap: the destination address 2450 * 2451 * Set the correct secattr for the given socket based on the destination 2452 * address and perform any outbound access checks needed. 2453 * 2454 * Returns 0 on success or an error code. 2455 * 2456 */ 2457 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2458 { 2459 struct smack_known *skp; 2460 int rc; 2461 int sk_lbl; 2462 struct smack_known *hkp; 2463 struct socket_smack *ssp = sk->sk_security; 2464 struct smk_audit_info ad; 2465 2466 rcu_read_lock(); 2467 hkp = smack_ipv4host_label(sap); 2468 if (hkp != NULL) { 2469 #ifdef CONFIG_AUDIT 2470 struct lsm_network_audit net; 2471 2472 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2473 ad.a.u.net->family = sap->sin_family; 2474 ad.a.u.net->dport = sap->sin_port; 2475 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2476 #endif 2477 sk_lbl = SMACK_UNLABELED_SOCKET; 2478 skp = ssp->smk_out; 2479 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2480 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2481 } else { 2482 sk_lbl = SMACK_CIPSO_SOCKET; 2483 rc = 0; 2484 } 2485 rcu_read_unlock(); 2486 if (rc != 0) 2487 return rc; 2488 2489 return smack_netlabel(sk, sk_lbl); 2490 } 2491 2492 #if IS_ENABLED(CONFIG_IPV6) 2493 /** 2494 * smk_ipv6_check - check Smack access 2495 * @subject: subject Smack label 2496 * @object: object Smack label 2497 * @address: address 2498 * @act: the action being taken 2499 * 2500 * Check an IPv6 access 2501 */ 2502 static int smk_ipv6_check(struct smack_known *subject, 2503 struct smack_known *object, 2504 struct sockaddr_in6 *address, int act) 2505 { 2506 #ifdef CONFIG_AUDIT 2507 struct lsm_network_audit net; 2508 #endif 2509 struct smk_audit_info ad; 2510 int rc; 2511 2512 #ifdef CONFIG_AUDIT 2513 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2514 ad.a.u.net->family = PF_INET6; 2515 ad.a.u.net->dport = ntohs(address->sin6_port); 2516 if (act == SMK_RECEIVING) 2517 ad.a.u.net->v6info.saddr = address->sin6_addr; 2518 else 2519 ad.a.u.net->v6info.daddr = address->sin6_addr; 2520 #endif 2521 rc = smk_access(subject, object, MAY_WRITE, &ad); 2522 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2523 return rc; 2524 } 2525 #endif /* CONFIG_IPV6 */ 2526 2527 #ifdef SMACK_IPV6_PORT_LABELING 2528 /** 2529 * smk_ipv6_port_label - Smack port access table management 2530 * @sock: socket 2531 * @address: address 2532 * 2533 * Create or update the port list entry 2534 */ 2535 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2536 { 2537 struct sock *sk = sock->sk; 2538 struct sockaddr_in6 *addr6; 2539 struct socket_smack *ssp = sock->sk->sk_security; 2540 struct smk_port_label *spp; 2541 unsigned short port = 0; 2542 2543 if (address == NULL) { 2544 /* 2545 * This operation is changing the Smack information 2546 * on the bound socket. Take the changes to the port 2547 * as well. 2548 */ 2549 rcu_read_lock(); 2550 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2551 if (sk != spp->smk_sock) 2552 continue; 2553 spp->smk_in = ssp->smk_in; 2554 spp->smk_out = ssp->smk_out; 2555 rcu_read_unlock(); 2556 return; 2557 } 2558 /* 2559 * A NULL address is only used for updating existing 2560 * bound entries. If there isn't one, it's OK. 2561 */ 2562 rcu_read_unlock(); 2563 return; 2564 } 2565 2566 addr6 = (struct sockaddr_in6 *)address; 2567 port = ntohs(addr6->sin6_port); 2568 /* 2569 * This is a special case that is safely ignored. 2570 */ 2571 if (port == 0) 2572 return; 2573 2574 /* 2575 * Look for an existing port list entry. 2576 * This is an indication that a port is getting reused. 2577 */ 2578 rcu_read_lock(); 2579 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2580 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2581 continue; 2582 if (spp->smk_can_reuse != 1) { 2583 rcu_read_unlock(); 2584 return; 2585 } 2586 spp->smk_port = port; 2587 spp->smk_sock = sk; 2588 spp->smk_in = ssp->smk_in; 2589 spp->smk_out = ssp->smk_out; 2590 spp->smk_can_reuse = 0; 2591 rcu_read_unlock(); 2592 return; 2593 } 2594 rcu_read_unlock(); 2595 /* 2596 * A new port entry is required. 2597 */ 2598 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2599 if (spp == NULL) 2600 return; 2601 2602 spp->smk_port = port; 2603 spp->smk_sock = sk; 2604 spp->smk_in = ssp->smk_in; 2605 spp->smk_out = ssp->smk_out; 2606 spp->smk_sock_type = sock->type; 2607 spp->smk_can_reuse = 0; 2608 2609 mutex_lock(&smack_ipv6_lock); 2610 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2611 mutex_unlock(&smack_ipv6_lock); 2612 return; 2613 } 2614 2615 /** 2616 * smk_ipv6_port_check - check Smack port access 2617 * @sock: socket 2618 * @address: address 2619 * 2620 * Create or update the port list entry 2621 */ 2622 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2623 int act) 2624 { 2625 struct smk_port_label *spp; 2626 struct socket_smack *ssp = sk->sk_security; 2627 struct smack_known *skp = NULL; 2628 unsigned short port; 2629 struct smack_known *object; 2630 2631 if (act == SMK_RECEIVING) { 2632 skp = smack_ipv6host_label(address); 2633 object = ssp->smk_in; 2634 } else { 2635 skp = ssp->smk_out; 2636 object = smack_ipv6host_label(address); 2637 } 2638 2639 /* 2640 * The other end is a single label host. 2641 */ 2642 if (skp != NULL && object != NULL) 2643 return smk_ipv6_check(skp, object, address, act); 2644 if (skp == NULL) 2645 skp = smack_net_ambient; 2646 if (object == NULL) 2647 object = smack_net_ambient; 2648 2649 /* 2650 * It's remote, so port lookup does no good. 2651 */ 2652 if (!smk_ipv6_localhost(address)) 2653 return smk_ipv6_check(skp, object, address, act); 2654 2655 /* 2656 * It's local so the send check has to have passed. 2657 */ 2658 if (act == SMK_RECEIVING) 2659 return 0; 2660 2661 port = ntohs(address->sin6_port); 2662 rcu_read_lock(); 2663 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2664 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2665 continue; 2666 object = spp->smk_in; 2667 if (act == SMK_CONNECTING) 2668 ssp->smk_packet = spp->smk_out; 2669 break; 2670 } 2671 rcu_read_unlock(); 2672 2673 return smk_ipv6_check(skp, object, address, act); 2674 } 2675 #endif /* SMACK_IPV6_PORT_LABELING */ 2676 2677 /** 2678 * smack_inode_setsecurity - set smack xattrs 2679 * @inode: the object 2680 * @name: attribute name 2681 * @value: attribute value 2682 * @size: size of the attribute 2683 * @flags: unused 2684 * 2685 * Sets the named attribute in the appropriate blob 2686 * 2687 * Returns 0 on success, or an error code 2688 */ 2689 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2690 const void *value, size_t size, int flags) 2691 { 2692 struct smack_known *skp; 2693 struct inode_smack *nsp = smack_inode(inode); 2694 struct socket_smack *ssp; 2695 struct socket *sock; 2696 int rc = 0; 2697 2698 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2699 return -EINVAL; 2700 2701 skp = smk_import_entry(value, size); 2702 if (IS_ERR(skp)) 2703 return PTR_ERR(skp); 2704 2705 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2706 nsp->smk_inode = skp; 2707 nsp->smk_flags |= SMK_INODE_INSTANT; 2708 return 0; 2709 } 2710 /* 2711 * The rest of the Smack xattrs are only on sockets. 2712 */ 2713 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2714 return -EOPNOTSUPP; 2715 2716 sock = SOCKET_I(inode); 2717 if (sock == NULL || sock->sk == NULL) 2718 return -EOPNOTSUPP; 2719 2720 ssp = sock->sk->sk_security; 2721 2722 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2723 ssp->smk_in = skp; 2724 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2725 ssp->smk_out = skp; 2726 if (sock->sk->sk_family == PF_INET) { 2727 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2728 if (rc != 0) 2729 printk(KERN_WARNING 2730 "Smack: \"%s\" netlbl error %d.\n", 2731 __func__, -rc); 2732 } 2733 } else 2734 return -EOPNOTSUPP; 2735 2736 #ifdef SMACK_IPV6_PORT_LABELING 2737 if (sock->sk->sk_family == PF_INET6) 2738 smk_ipv6_port_label(sock, NULL); 2739 #endif 2740 2741 return 0; 2742 } 2743 2744 /** 2745 * smack_socket_post_create - finish socket setup 2746 * @sock: the socket 2747 * @family: protocol family 2748 * @type: unused 2749 * @protocol: unused 2750 * @kern: unused 2751 * 2752 * Sets the netlabel information on the socket 2753 * 2754 * Returns 0 on success, and error code otherwise 2755 */ 2756 static int smack_socket_post_create(struct socket *sock, int family, 2757 int type, int protocol, int kern) 2758 { 2759 struct socket_smack *ssp; 2760 2761 if (sock->sk == NULL) 2762 return 0; 2763 2764 /* 2765 * Sockets created by kernel threads receive web label. 2766 */ 2767 if (unlikely(current->flags & PF_KTHREAD)) { 2768 ssp = sock->sk->sk_security; 2769 ssp->smk_in = &smack_known_web; 2770 ssp->smk_out = &smack_known_web; 2771 } 2772 2773 if (family != PF_INET) 2774 return 0; 2775 /* 2776 * Set the outbound netlbl. 2777 */ 2778 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2779 } 2780 2781 /** 2782 * smack_socket_socketpair - create socket pair 2783 * @socka: one socket 2784 * @sockb: another socket 2785 * 2786 * Cross reference the peer labels for SO_PEERSEC 2787 * 2788 * Returns 0 on success, and error code otherwise 2789 */ 2790 static int smack_socket_socketpair(struct socket *socka, 2791 struct socket *sockb) 2792 { 2793 struct socket_smack *asp = socka->sk->sk_security; 2794 struct socket_smack *bsp = sockb->sk->sk_security; 2795 2796 asp->smk_packet = bsp->smk_out; 2797 bsp->smk_packet = asp->smk_out; 2798 2799 return 0; 2800 } 2801 2802 #ifdef SMACK_IPV6_PORT_LABELING 2803 /** 2804 * smack_socket_bind - record port binding information. 2805 * @sock: the socket 2806 * @address: the port address 2807 * @addrlen: size of the address 2808 * 2809 * Records the label bound to a port. 2810 * 2811 * Returns 0 on success, and error code otherwise 2812 */ 2813 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2814 int addrlen) 2815 { 2816 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2817 if (addrlen < SIN6_LEN_RFC2133 || 2818 address->sa_family != AF_INET6) 2819 return -EINVAL; 2820 smk_ipv6_port_label(sock, address); 2821 } 2822 return 0; 2823 } 2824 #endif /* SMACK_IPV6_PORT_LABELING */ 2825 2826 /** 2827 * smack_socket_connect - connect access check 2828 * @sock: the socket 2829 * @sap: the other end 2830 * @addrlen: size of sap 2831 * 2832 * Verifies that a connection may be possible 2833 * 2834 * Returns 0 on success, and error code otherwise 2835 */ 2836 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2837 int addrlen) 2838 { 2839 int rc = 0; 2840 #if IS_ENABLED(CONFIG_IPV6) 2841 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2842 #endif 2843 #ifdef SMACK_IPV6_SECMARK_LABELING 2844 struct smack_known *rsp; 2845 struct socket_smack *ssp; 2846 #endif 2847 2848 if (sock->sk == NULL) 2849 return 0; 2850 2851 #ifdef SMACK_IPV6_SECMARK_LABELING 2852 ssp = sock->sk->sk_security; 2853 #endif 2854 2855 switch (sock->sk->sk_family) { 2856 case PF_INET: 2857 if (addrlen < sizeof(struct sockaddr_in) || 2858 sap->sa_family != AF_INET) 2859 return -EINVAL; 2860 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2861 break; 2862 case PF_INET6: 2863 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) 2864 return -EINVAL; 2865 #ifdef SMACK_IPV6_SECMARK_LABELING 2866 rsp = smack_ipv6host_label(sip); 2867 if (rsp != NULL) 2868 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2869 SMK_CONNECTING); 2870 #endif 2871 #ifdef SMACK_IPV6_PORT_LABELING 2872 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2873 #endif 2874 break; 2875 } 2876 return rc; 2877 } 2878 2879 /** 2880 * smack_flags_to_may - convert S_ to MAY_ values 2881 * @flags: the S_ value 2882 * 2883 * Returns the equivalent MAY_ value 2884 */ 2885 static int smack_flags_to_may(int flags) 2886 { 2887 int may = 0; 2888 2889 if (flags & S_IRUGO) 2890 may |= MAY_READ; 2891 if (flags & S_IWUGO) 2892 may |= MAY_WRITE; 2893 if (flags & S_IXUGO) 2894 may |= MAY_EXEC; 2895 2896 return may; 2897 } 2898 2899 /** 2900 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2901 * @msg: the object 2902 * 2903 * Returns 0 2904 */ 2905 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2906 { 2907 struct smack_known **blob = smack_msg_msg(msg); 2908 2909 *blob = smk_of_current(); 2910 return 0; 2911 } 2912 2913 /** 2914 * smack_of_ipc - the smack pointer for the ipc 2915 * @isp: the object 2916 * 2917 * Returns a pointer to the smack value 2918 */ 2919 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2920 { 2921 struct smack_known **blob = smack_ipc(isp); 2922 2923 return *blob; 2924 } 2925 2926 /** 2927 * smack_ipc_alloc_security - Set the security blob for ipc 2928 * @isp: the object 2929 * 2930 * Returns 0 2931 */ 2932 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2933 { 2934 struct smack_known **blob = smack_ipc(isp); 2935 2936 *blob = smk_of_current(); 2937 return 0; 2938 } 2939 2940 /** 2941 * smk_curacc_shm : check if current has access on shm 2942 * @isp : the object 2943 * @access : access requested 2944 * 2945 * Returns 0 if current has the requested access, error code otherwise 2946 */ 2947 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2948 { 2949 struct smack_known *ssp = smack_of_ipc(isp); 2950 struct smk_audit_info ad; 2951 int rc; 2952 2953 #ifdef CONFIG_AUDIT 2954 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2955 ad.a.u.ipc_id = isp->id; 2956 #endif 2957 rc = smk_curacc(ssp, access, &ad); 2958 rc = smk_bu_current("shm", ssp, access, rc); 2959 return rc; 2960 } 2961 2962 /** 2963 * smack_shm_associate - Smack access check for shm 2964 * @isp: the object 2965 * @shmflg: access requested 2966 * 2967 * Returns 0 if current has the requested access, error code otherwise 2968 */ 2969 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2970 { 2971 int may; 2972 2973 may = smack_flags_to_may(shmflg); 2974 return smk_curacc_shm(isp, may); 2975 } 2976 2977 /** 2978 * smack_shm_shmctl - Smack access check for shm 2979 * @isp: the object 2980 * @cmd: what it wants to do 2981 * 2982 * Returns 0 if current has the requested access, error code otherwise 2983 */ 2984 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2985 { 2986 int may; 2987 2988 switch (cmd) { 2989 case IPC_STAT: 2990 case SHM_STAT: 2991 case SHM_STAT_ANY: 2992 may = MAY_READ; 2993 break; 2994 case IPC_SET: 2995 case SHM_LOCK: 2996 case SHM_UNLOCK: 2997 case IPC_RMID: 2998 may = MAY_READWRITE; 2999 break; 3000 case IPC_INFO: 3001 case SHM_INFO: 3002 /* 3003 * System level information. 3004 */ 3005 return 0; 3006 default: 3007 return -EINVAL; 3008 } 3009 return smk_curacc_shm(isp, may); 3010 } 3011 3012 /** 3013 * smack_shm_shmat - Smack access for shmat 3014 * @isp: the object 3015 * @shmaddr: unused 3016 * @shmflg: access requested 3017 * 3018 * Returns 0 if current has the requested access, error code otherwise 3019 */ 3020 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3021 int shmflg) 3022 { 3023 int may; 3024 3025 may = smack_flags_to_may(shmflg); 3026 return smk_curacc_shm(ipc, may); 3027 } 3028 3029 /** 3030 * smk_curacc_sem : check if current has access on sem 3031 * @isp : the object 3032 * @access : access requested 3033 * 3034 * Returns 0 if current has the requested access, error code otherwise 3035 */ 3036 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3037 { 3038 struct smack_known *ssp = smack_of_ipc(isp); 3039 struct smk_audit_info ad; 3040 int rc; 3041 3042 #ifdef CONFIG_AUDIT 3043 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3044 ad.a.u.ipc_id = isp->id; 3045 #endif 3046 rc = smk_curacc(ssp, access, &ad); 3047 rc = smk_bu_current("sem", ssp, access, rc); 3048 return rc; 3049 } 3050 3051 /** 3052 * smack_sem_associate - Smack access check for sem 3053 * @isp: the object 3054 * @semflg: access requested 3055 * 3056 * Returns 0 if current has the requested access, error code otherwise 3057 */ 3058 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3059 { 3060 int may; 3061 3062 may = smack_flags_to_may(semflg); 3063 return smk_curacc_sem(isp, may); 3064 } 3065 3066 /** 3067 * smack_sem_shmctl - Smack access check for sem 3068 * @isp: the object 3069 * @cmd: what it wants to do 3070 * 3071 * Returns 0 if current has the requested access, error code otherwise 3072 */ 3073 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3074 { 3075 int may; 3076 3077 switch (cmd) { 3078 case GETPID: 3079 case GETNCNT: 3080 case GETZCNT: 3081 case GETVAL: 3082 case GETALL: 3083 case IPC_STAT: 3084 case SEM_STAT: 3085 case SEM_STAT_ANY: 3086 may = MAY_READ; 3087 break; 3088 case SETVAL: 3089 case SETALL: 3090 case IPC_RMID: 3091 case IPC_SET: 3092 may = MAY_READWRITE; 3093 break; 3094 case IPC_INFO: 3095 case SEM_INFO: 3096 /* 3097 * System level information 3098 */ 3099 return 0; 3100 default: 3101 return -EINVAL; 3102 } 3103 3104 return smk_curacc_sem(isp, may); 3105 } 3106 3107 /** 3108 * smack_sem_semop - Smack checks of semaphore operations 3109 * @isp: the object 3110 * @sops: unused 3111 * @nsops: unused 3112 * @alter: unused 3113 * 3114 * Treated as read and write in all cases. 3115 * 3116 * Returns 0 if access is allowed, error code otherwise 3117 */ 3118 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3119 unsigned nsops, int alter) 3120 { 3121 return smk_curacc_sem(isp, MAY_READWRITE); 3122 } 3123 3124 /** 3125 * smk_curacc_msq : helper to check if current has access on msq 3126 * @isp : the msq 3127 * @access : access requested 3128 * 3129 * return 0 if current has access, error otherwise 3130 */ 3131 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3132 { 3133 struct smack_known *msp = smack_of_ipc(isp); 3134 struct smk_audit_info ad; 3135 int rc; 3136 3137 #ifdef CONFIG_AUDIT 3138 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3139 ad.a.u.ipc_id = isp->id; 3140 #endif 3141 rc = smk_curacc(msp, access, &ad); 3142 rc = smk_bu_current("msq", msp, access, rc); 3143 return rc; 3144 } 3145 3146 /** 3147 * smack_msg_queue_associate - Smack access check for msg_queue 3148 * @isp: the object 3149 * @msqflg: access requested 3150 * 3151 * Returns 0 if current has the requested access, error code otherwise 3152 */ 3153 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3154 { 3155 int may; 3156 3157 may = smack_flags_to_may(msqflg); 3158 return smk_curacc_msq(isp, may); 3159 } 3160 3161 /** 3162 * smack_msg_queue_msgctl - Smack access check for msg_queue 3163 * @isp: the object 3164 * @cmd: what it wants to do 3165 * 3166 * Returns 0 if current has the requested access, error code otherwise 3167 */ 3168 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3169 { 3170 int may; 3171 3172 switch (cmd) { 3173 case IPC_STAT: 3174 case MSG_STAT: 3175 case MSG_STAT_ANY: 3176 may = MAY_READ; 3177 break; 3178 case IPC_SET: 3179 case IPC_RMID: 3180 may = MAY_READWRITE; 3181 break; 3182 case IPC_INFO: 3183 case MSG_INFO: 3184 /* 3185 * System level information 3186 */ 3187 return 0; 3188 default: 3189 return -EINVAL; 3190 } 3191 3192 return smk_curacc_msq(isp, may); 3193 } 3194 3195 /** 3196 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3197 * @isp: the object 3198 * @msg: unused 3199 * @msqflg: access requested 3200 * 3201 * Returns 0 if current has the requested access, error code otherwise 3202 */ 3203 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3204 int msqflg) 3205 { 3206 int may; 3207 3208 may = smack_flags_to_may(msqflg); 3209 return smk_curacc_msq(isp, may); 3210 } 3211 3212 /** 3213 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3214 * @isp: the object 3215 * @msg: unused 3216 * @target: unused 3217 * @type: unused 3218 * @mode: unused 3219 * 3220 * Returns 0 if current has read and write access, error code otherwise 3221 */ 3222 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3223 struct task_struct *target, long type, int mode) 3224 { 3225 return smk_curacc_msq(isp, MAY_READWRITE); 3226 } 3227 3228 /** 3229 * smack_ipc_permission - Smack access for ipc_permission() 3230 * @ipp: the object permissions 3231 * @flag: access requested 3232 * 3233 * Returns 0 if current has read and write access, error code otherwise 3234 */ 3235 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3236 { 3237 struct smack_known **blob = smack_ipc(ipp); 3238 struct smack_known *iskp = *blob; 3239 int may = smack_flags_to_may(flag); 3240 struct smk_audit_info ad; 3241 int rc; 3242 3243 #ifdef CONFIG_AUDIT 3244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3245 ad.a.u.ipc_id = ipp->id; 3246 #endif 3247 rc = smk_curacc(iskp, may, &ad); 3248 rc = smk_bu_current("svipc", iskp, may, rc); 3249 return rc; 3250 } 3251 3252 /** 3253 * smack_ipc_getsecid - Extract smack security id 3254 * @ipp: the object permissions 3255 * @secid: where result will be saved 3256 */ 3257 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3258 { 3259 struct smack_known **blob = smack_ipc(ipp); 3260 struct smack_known *iskp = *blob; 3261 3262 *secid = iskp->smk_secid; 3263 } 3264 3265 /** 3266 * smack_d_instantiate - Make sure the blob is correct on an inode 3267 * @opt_dentry: dentry where inode will be attached 3268 * @inode: the object 3269 * 3270 * Set the inode's security blob if it hasn't been done already. 3271 */ 3272 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3273 { 3274 struct super_block *sbp; 3275 struct superblock_smack *sbsp; 3276 struct inode_smack *isp; 3277 struct smack_known *skp; 3278 struct smack_known *ckp = smk_of_current(); 3279 struct smack_known *final; 3280 char trattr[TRANS_TRUE_SIZE]; 3281 int transflag = 0; 3282 int rc; 3283 struct dentry *dp; 3284 3285 if (inode == NULL) 3286 return; 3287 3288 isp = smack_inode(inode); 3289 3290 mutex_lock(&isp->smk_lock); 3291 /* 3292 * If the inode is already instantiated 3293 * take the quick way out 3294 */ 3295 if (isp->smk_flags & SMK_INODE_INSTANT) 3296 goto unlockandout; 3297 3298 sbp = inode->i_sb; 3299 sbsp = sbp->s_security; 3300 /* 3301 * We're going to use the superblock default label 3302 * if there's no label on the file. 3303 */ 3304 final = sbsp->smk_default; 3305 3306 /* 3307 * If this is the root inode the superblock 3308 * may be in the process of initialization. 3309 * If that is the case use the root value out 3310 * of the superblock. 3311 */ 3312 if (opt_dentry->d_parent == opt_dentry) { 3313 switch (sbp->s_magic) { 3314 case CGROUP_SUPER_MAGIC: 3315 case CGROUP2_SUPER_MAGIC: 3316 /* 3317 * The cgroup filesystem is never mounted, 3318 * so there's no opportunity to set the mount 3319 * options. 3320 */ 3321 sbsp->smk_root = &smack_known_star; 3322 sbsp->smk_default = &smack_known_star; 3323 isp->smk_inode = sbsp->smk_root; 3324 break; 3325 case TMPFS_MAGIC: 3326 /* 3327 * What about shmem/tmpfs anonymous files with dentry 3328 * obtained from d_alloc_pseudo()? 3329 */ 3330 isp->smk_inode = smk_of_current(); 3331 break; 3332 case PIPEFS_MAGIC: 3333 isp->smk_inode = smk_of_current(); 3334 break; 3335 case SOCKFS_MAGIC: 3336 /* 3337 * Socket access is controlled by the socket 3338 * structures associated with the task involved. 3339 */ 3340 isp->smk_inode = &smack_known_star; 3341 break; 3342 default: 3343 isp->smk_inode = sbsp->smk_root; 3344 break; 3345 } 3346 isp->smk_flags |= SMK_INODE_INSTANT; 3347 goto unlockandout; 3348 } 3349 3350 /* 3351 * This is pretty hackish. 3352 * Casey says that we shouldn't have to do 3353 * file system specific code, but it does help 3354 * with keeping it simple. 3355 */ 3356 switch (sbp->s_magic) { 3357 case SMACK_MAGIC: 3358 case CGROUP_SUPER_MAGIC: 3359 case CGROUP2_SUPER_MAGIC: 3360 /* 3361 * Casey says that it's a little embarrassing 3362 * that the smack file system doesn't do 3363 * extended attributes. 3364 * 3365 * Cgroupfs is special 3366 */ 3367 final = &smack_known_star; 3368 break; 3369 case DEVPTS_SUPER_MAGIC: 3370 /* 3371 * devpts seems content with the label of the task. 3372 * Programs that change smack have to treat the 3373 * pty with respect. 3374 */ 3375 final = ckp; 3376 break; 3377 case PROC_SUPER_MAGIC: 3378 /* 3379 * Casey says procfs appears not to care. 3380 * The superblock default suffices. 3381 */ 3382 break; 3383 case TMPFS_MAGIC: 3384 /* 3385 * Device labels should come from the filesystem, 3386 * but watch out, because they're volitile, 3387 * getting recreated on every reboot. 3388 */ 3389 final = &smack_known_star; 3390 /* 3391 * If a smack value has been set we want to use it, 3392 * but since tmpfs isn't giving us the opportunity 3393 * to set mount options simulate setting the 3394 * superblock default. 3395 */ 3396 /* Fall through */ 3397 default: 3398 /* 3399 * This isn't an understood special case. 3400 * Get the value from the xattr. 3401 */ 3402 3403 /* 3404 * UNIX domain sockets use lower level socket data. 3405 */ 3406 if (S_ISSOCK(inode->i_mode)) { 3407 final = &smack_known_star; 3408 break; 3409 } 3410 /* 3411 * No xattr support means, alas, no SMACK label. 3412 * Use the aforeapplied default. 3413 * It would be curious if the label of the task 3414 * does not match that assigned. 3415 */ 3416 if (!(inode->i_opflags & IOP_XATTR)) 3417 break; 3418 /* 3419 * Get the dentry for xattr. 3420 */ 3421 dp = dget(opt_dentry); 3422 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3423 if (!IS_ERR_OR_NULL(skp)) 3424 final = skp; 3425 3426 /* 3427 * Transmuting directory 3428 */ 3429 if (S_ISDIR(inode->i_mode)) { 3430 /* 3431 * If this is a new directory and the label was 3432 * transmuted when the inode was initialized 3433 * set the transmute attribute on the directory 3434 * and mark the inode. 3435 * 3436 * If there is a transmute attribute on the 3437 * directory mark the inode. 3438 */ 3439 if (isp->smk_flags & SMK_INODE_CHANGED) { 3440 isp->smk_flags &= ~SMK_INODE_CHANGED; 3441 rc = __vfs_setxattr(dp, inode, 3442 XATTR_NAME_SMACKTRANSMUTE, 3443 TRANS_TRUE, TRANS_TRUE_SIZE, 3444 0); 3445 } else { 3446 rc = __vfs_getxattr(dp, inode, 3447 XATTR_NAME_SMACKTRANSMUTE, trattr, 3448 TRANS_TRUE_SIZE); 3449 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3450 TRANS_TRUE_SIZE) != 0) 3451 rc = -EINVAL; 3452 } 3453 if (rc >= 0) 3454 transflag = SMK_INODE_TRANSMUTE; 3455 } 3456 /* 3457 * Don't let the exec or mmap label be "*" or "@". 3458 */ 3459 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3460 if (IS_ERR(skp) || skp == &smack_known_star || 3461 skp == &smack_known_web) 3462 skp = NULL; 3463 isp->smk_task = skp; 3464 3465 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3466 if (IS_ERR(skp) || skp == &smack_known_star || 3467 skp == &smack_known_web) 3468 skp = NULL; 3469 isp->smk_mmap = skp; 3470 3471 dput(dp); 3472 break; 3473 } 3474 3475 if (final == NULL) 3476 isp->smk_inode = ckp; 3477 else 3478 isp->smk_inode = final; 3479 3480 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3481 3482 unlockandout: 3483 mutex_unlock(&isp->smk_lock); 3484 return; 3485 } 3486 3487 /** 3488 * smack_getprocattr - Smack process attribute access 3489 * @p: the object task 3490 * @name: the name of the attribute in /proc/.../attr 3491 * @value: where to put the result 3492 * 3493 * Places a copy of the task Smack into value 3494 * 3495 * Returns the length of the smack label or an error code 3496 */ 3497 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3498 { 3499 struct smack_known *skp = smk_of_task_struct(p); 3500 char *cp; 3501 int slen; 3502 3503 if (strcmp(name, "current") != 0) 3504 return -EINVAL; 3505 3506 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3507 if (cp == NULL) 3508 return -ENOMEM; 3509 3510 slen = strlen(cp); 3511 *value = cp; 3512 return slen; 3513 } 3514 3515 /** 3516 * smack_setprocattr - Smack process attribute setting 3517 * @name: the name of the attribute in /proc/.../attr 3518 * @value: the value to set 3519 * @size: the size of the value 3520 * 3521 * Sets the Smack value of the task. Only setting self 3522 * is permitted and only with privilege 3523 * 3524 * Returns the length of the smack label or an error code 3525 */ 3526 static int smack_setprocattr(const char *name, void *value, size_t size) 3527 { 3528 struct task_smack *tsp = smack_cred(current_cred()); 3529 struct cred *new; 3530 struct smack_known *skp; 3531 struct smack_known_list_elem *sklep; 3532 int rc; 3533 3534 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3535 return -EPERM; 3536 3537 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3538 return -EINVAL; 3539 3540 if (strcmp(name, "current") != 0) 3541 return -EINVAL; 3542 3543 skp = smk_import_entry(value, size); 3544 if (IS_ERR(skp)) 3545 return PTR_ERR(skp); 3546 3547 /* 3548 * No process is ever allowed the web ("@") label 3549 * and the star ("*") label. 3550 */ 3551 if (skp == &smack_known_web || skp == &smack_known_star) 3552 return -EINVAL; 3553 3554 if (!smack_privileged(CAP_MAC_ADMIN)) { 3555 rc = -EPERM; 3556 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3557 if (sklep->smk_label == skp) { 3558 rc = 0; 3559 break; 3560 } 3561 if (rc) 3562 return rc; 3563 } 3564 3565 new = prepare_creds(); 3566 if (new == NULL) 3567 return -ENOMEM; 3568 3569 tsp = smack_cred(new); 3570 tsp->smk_task = skp; 3571 /* 3572 * process can change its label only once 3573 */ 3574 smk_destroy_label_list(&tsp->smk_relabel); 3575 3576 commit_creds(new); 3577 return size; 3578 } 3579 3580 /** 3581 * smack_unix_stream_connect - Smack access on UDS 3582 * @sock: one sock 3583 * @other: the other sock 3584 * @newsk: unused 3585 * 3586 * Return 0 if a subject with the smack of sock could access 3587 * an object with the smack of other, otherwise an error code 3588 */ 3589 static int smack_unix_stream_connect(struct sock *sock, 3590 struct sock *other, struct sock *newsk) 3591 { 3592 struct smack_known *skp; 3593 struct smack_known *okp; 3594 struct socket_smack *ssp = sock->sk_security; 3595 struct socket_smack *osp = other->sk_security; 3596 struct socket_smack *nsp = newsk->sk_security; 3597 struct smk_audit_info ad; 3598 int rc = 0; 3599 #ifdef CONFIG_AUDIT 3600 struct lsm_network_audit net; 3601 #endif 3602 3603 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3604 skp = ssp->smk_out; 3605 okp = osp->smk_in; 3606 #ifdef CONFIG_AUDIT 3607 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3608 smk_ad_setfield_u_net_sk(&ad, other); 3609 #endif 3610 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3611 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3612 if (rc == 0) { 3613 okp = osp->smk_out; 3614 skp = ssp->smk_in; 3615 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3616 rc = smk_bu_note("UDS connect", okp, skp, 3617 MAY_WRITE, rc); 3618 } 3619 } 3620 3621 /* 3622 * Cross reference the peer labels for SO_PEERSEC. 3623 */ 3624 if (rc == 0) { 3625 nsp->smk_packet = ssp->smk_out; 3626 ssp->smk_packet = osp->smk_out; 3627 } 3628 3629 return rc; 3630 } 3631 3632 /** 3633 * smack_unix_may_send - Smack access on UDS 3634 * @sock: one socket 3635 * @other: the other socket 3636 * 3637 * Return 0 if a subject with the smack of sock could access 3638 * an object with the smack of other, otherwise an error code 3639 */ 3640 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3641 { 3642 struct socket_smack *ssp = sock->sk->sk_security; 3643 struct socket_smack *osp = other->sk->sk_security; 3644 struct smk_audit_info ad; 3645 int rc; 3646 3647 #ifdef CONFIG_AUDIT 3648 struct lsm_network_audit net; 3649 3650 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3651 smk_ad_setfield_u_net_sk(&ad, other->sk); 3652 #endif 3653 3654 if (smack_privileged(CAP_MAC_OVERRIDE)) 3655 return 0; 3656 3657 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3658 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3659 return rc; 3660 } 3661 3662 /** 3663 * smack_socket_sendmsg - Smack check based on destination host 3664 * @sock: the socket 3665 * @msg: the message 3666 * @size: the size of the message 3667 * 3668 * Return 0 if the current subject can write to the destination host. 3669 * For IPv4 this is only a question if the destination is a single label host. 3670 * For IPv6 this is a check against the label of the port. 3671 */ 3672 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3673 int size) 3674 { 3675 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3676 #if IS_ENABLED(CONFIG_IPV6) 3677 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3678 #endif 3679 #ifdef SMACK_IPV6_SECMARK_LABELING 3680 struct socket_smack *ssp = sock->sk->sk_security; 3681 struct smack_known *rsp; 3682 #endif 3683 int rc = 0; 3684 3685 /* 3686 * Perfectly reasonable for this to be NULL 3687 */ 3688 if (sip == NULL) 3689 return 0; 3690 3691 switch (sock->sk->sk_family) { 3692 case AF_INET: 3693 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3694 sip->sin_family != AF_INET) 3695 return -EINVAL; 3696 rc = smack_netlabel_send(sock->sk, sip); 3697 break; 3698 #if IS_ENABLED(CONFIG_IPV6) 3699 case AF_INET6: 3700 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3701 sap->sin6_family != AF_INET6) 3702 return -EINVAL; 3703 #ifdef SMACK_IPV6_SECMARK_LABELING 3704 rsp = smack_ipv6host_label(sap); 3705 if (rsp != NULL) 3706 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3707 SMK_CONNECTING); 3708 #endif 3709 #ifdef SMACK_IPV6_PORT_LABELING 3710 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3711 #endif 3712 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3713 break; 3714 } 3715 return rc; 3716 } 3717 3718 /** 3719 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3720 * @sap: netlabel secattr 3721 * @ssp: socket security information 3722 * 3723 * Returns a pointer to a Smack label entry found on the label list. 3724 */ 3725 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3726 struct socket_smack *ssp) 3727 { 3728 struct smack_known *skp; 3729 int found = 0; 3730 int acat; 3731 int kcat; 3732 3733 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3734 /* 3735 * Looks like a CIPSO packet. 3736 * If there are flags but no level netlabel isn't 3737 * behaving the way we expect it to. 3738 * 3739 * Look it up in the label table 3740 * Without guidance regarding the smack value 3741 * for the packet fall back on the network 3742 * ambient value. 3743 */ 3744 rcu_read_lock(); 3745 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3746 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3747 continue; 3748 /* 3749 * Compare the catsets. Use the netlbl APIs. 3750 */ 3751 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3752 if ((skp->smk_netlabel.flags & 3753 NETLBL_SECATTR_MLS_CAT) == 0) 3754 found = 1; 3755 break; 3756 } 3757 for (acat = -1, kcat = -1; acat == kcat; ) { 3758 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3759 acat + 1); 3760 kcat = netlbl_catmap_walk( 3761 skp->smk_netlabel.attr.mls.cat, 3762 kcat + 1); 3763 if (acat < 0 || kcat < 0) 3764 break; 3765 } 3766 if (acat == kcat) { 3767 found = 1; 3768 break; 3769 } 3770 } 3771 rcu_read_unlock(); 3772 3773 if (found) 3774 return skp; 3775 3776 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3777 return &smack_known_web; 3778 return &smack_known_star; 3779 } 3780 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3781 /* 3782 * Looks like a fallback, which gives us a secid. 3783 */ 3784 return smack_from_secid(sap->attr.secid); 3785 /* 3786 * Without guidance regarding the smack value 3787 * for the packet fall back on the network 3788 * ambient value. 3789 */ 3790 return smack_net_ambient; 3791 } 3792 3793 #if IS_ENABLED(CONFIG_IPV6) 3794 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3795 { 3796 u8 nexthdr; 3797 int offset; 3798 int proto = -EINVAL; 3799 struct ipv6hdr _ipv6h; 3800 struct ipv6hdr *ip6; 3801 __be16 frag_off; 3802 struct tcphdr _tcph, *th; 3803 struct udphdr _udph, *uh; 3804 struct dccp_hdr _dccph, *dh; 3805 3806 sip->sin6_port = 0; 3807 3808 offset = skb_network_offset(skb); 3809 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3810 if (ip6 == NULL) 3811 return -EINVAL; 3812 sip->sin6_addr = ip6->saddr; 3813 3814 nexthdr = ip6->nexthdr; 3815 offset += sizeof(_ipv6h); 3816 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3817 if (offset < 0) 3818 return -EINVAL; 3819 3820 proto = nexthdr; 3821 switch (proto) { 3822 case IPPROTO_TCP: 3823 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3824 if (th != NULL) 3825 sip->sin6_port = th->source; 3826 break; 3827 case IPPROTO_UDP: 3828 case IPPROTO_UDPLITE: 3829 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3830 if (uh != NULL) 3831 sip->sin6_port = uh->source; 3832 break; 3833 case IPPROTO_DCCP: 3834 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3835 if (dh != NULL) 3836 sip->sin6_port = dh->dccph_sport; 3837 break; 3838 } 3839 return proto; 3840 } 3841 #endif /* CONFIG_IPV6 */ 3842 3843 /** 3844 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3845 * @sk: socket 3846 * @skb: packet 3847 * 3848 * Returns 0 if the packet should be delivered, an error code otherwise 3849 */ 3850 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3851 { 3852 struct netlbl_lsm_secattr secattr; 3853 struct socket_smack *ssp = sk->sk_security; 3854 struct smack_known *skp = NULL; 3855 int rc = 0; 3856 struct smk_audit_info ad; 3857 u16 family = sk->sk_family; 3858 #ifdef CONFIG_AUDIT 3859 struct lsm_network_audit net; 3860 #endif 3861 #if IS_ENABLED(CONFIG_IPV6) 3862 struct sockaddr_in6 sadd; 3863 int proto; 3864 3865 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3866 family = PF_INET; 3867 #endif /* CONFIG_IPV6 */ 3868 3869 switch (family) { 3870 case PF_INET: 3871 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3872 /* 3873 * If there is a secmark use it rather than the CIPSO label. 3874 * If there is no secmark fall back to CIPSO. 3875 * The secmark is assumed to reflect policy better. 3876 */ 3877 if (skb && skb->secmark != 0) { 3878 skp = smack_from_secid(skb->secmark); 3879 goto access_check; 3880 } 3881 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3882 /* 3883 * Translate what netlabel gave us. 3884 */ 3885 netlbl_secattr_init(&secattr); 3886 3887 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3888 if (rc == 0) 3889 skp = smack_from_secattr(&secattr, ssp); 3890 else 3891 skp = smack_net_ambient; 3892 3893 netlbl_secattr_destroy(&secattr); 3894 3895 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3896 access_check: 3897 #endif 3898 #ifdef CONFIG_AUDIT 3899 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3900 ad.a.u.net->family = family; 3901 ad.a.u.net->netif = skb->skb_iif; 3902 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3903 #endif 3904 /* 3905 * Receiving a packet requires that the other end 3906 * be able to write here. Read access is not required. 3907 * This is the simplist possible security model 3908 * for networking. 3909 */ 3910 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3911 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3912 MAY_WRITE, rc); 3913 if (rc != 0) 3914 netlbl_skbuff_err(skb, family, rc, 0); 3915 break; 3916 #if IS_ENABLED(CONFIG_IPV6) 3917 case PF_INET6: 3918 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3919 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3920 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3921 break; 3922 #ifdef SMACK_IPV6_SECMARK_LABELING 3923 if (skb && skb->secmark != 0) 3924 skp = smack_from_secid(skb->secmark); 3925 else if (smk_ipv6_localhost(&sadd)) 3926 break; 3927 else 3928 skp = smack_ipv6host_label(&sadd); 3929 if (skp == NULL) 3930 skp = smack_net_ambient; 3931 #ifdef CONFIG_AUDIT 3932 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3933 ad.a.u.net->family = family; 3934 ad.a.u.net->netif = skb->skb_iif; 3935 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3936 #endif /* CONFIG_AUDIT */ 3937 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3938 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3939 MAY_WRITE, rc); 3940 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3941 #ifdef SMACK_IPV6_PORT_LABELING 3942 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3943 #endif /* SMACK_IPV6_PORT_LABELING */ 3944 if (rc != 0) 3945 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3946 ICMPV6_ADM_PROHIBITED, 0); 3947 break; 3948 #endif /* CONFIG_IPV6 */ 3949 } 3950 3951 return rc; 3952 } 3953 3954 /** 3955 * smack_socket_getpeersec_stream - pull in packet label 3956 * @sock: the socket 3957 * @optval: user's destination 3958 * @optlen: size thereof 3959 * @len: max thereof 3960 * 3961 * returns zero on success, an error code otherwise 3962 */ 3963 static int smack_socket_getpeersec_stream(struct socket *sock, 3964 char __user *optval, 3965 int __user *optlen, unsigned len) 3966 { 3967 struct socket_smack *ssp; 3968 char *rcp = ""; 3969 int slen = 1; 3970 int rc = 0; 3971 3972 ssp = sock->sk->sk_security; 3973 if (ssp->smk_packet != NULL) { 3974 rcp = ssp->smk_packet->smk_known; 3975 slen = strlen(rcp) + 1; 3976 } 3977 3978 if (slen > len) 3979 rc = -ERANGE; 3980 else if (copy_to_user(optval, rcp, slen) != 0) 3981 rc = -EFAULT; 3982 3983 if (put_user(slen, optlen) != 0) 3984 rc = -EFAULT; 3985 3986 return rc; 3987 } 3988 3989 3990 /** 3991 * smack_socket_getpeersec_dgram - pull in packet label 3992 * @sock: the peer socket 3993 * @skb: packet data 3994 * @secid: pointer to where to put the secid of the packet 3995 * 3996 * Sets the netlabel socket state on sk from parent 3997 */ 3998 static int smack_socket_getpeersec_dgram(struct socket *sock, 3999 struct sk_buff *skb, u32 *secid) 4000 4001 { 4002 struct netlbl_lsm_secattr secattr; 4003 struct socket_smack *ssp = NULL; 4004 struct smack_known *skp; 4005 int family = PF_UNSPEC; 4006 u32 s = 0; /* 0 is the invalid secid */ 4007 int rc; 4008 4009 if (skb != NULL) { 4010 if (skb->protocol == htons(ETH_P_IP)) 4011 family = PF_INET; 4012 #if IS_ENABLED(CONFIG_IPV6) 4013 else if (skb->protocol == htons(ETH_P_IPV6)) 4014 family = PF_INET6; 4015 #endif /* CONFIG_IPV6 */ 4016 } 4017 if (family == PF_UNSPEC && sock != NULL) 4018 family = sock->sk->sk_family; 4019 4020 switch (family) { 4021 case PF_UNIX: 4022 ssp = sock->sk->sk_security; 4023 s = ssp->smk_out->smk_secid; 4024 break; 4025 case PF_INET: 4026 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4027 s = skb->secmark; 4028 if (s != 0) 4029 break; 4030 #endif 4031 /* 4032 * Translate what netlabel gave us. 4033 */ 4034 if (sock != NULL && sock->sk != NULL) 4035 ssp = sock->sk->sk_security; 4036 netlbl_secattr_init(&secattr); 4037 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4038 if (rc == 0) { 4039 skp = smack_from_secattr(&secattr, ssp); 4040 s = skp->smk_secid; 4041 } 4042 netlbl_secattr_destroy(&secattr); 4043 break; 4044 case PF_INET6: 4045 #ifdef SMACK_IPV6_SECMARK_LABELING 4046 s = skb->secmark; 4047 #endif 4048 break; 4049 } 4050 *secid = s; 4051 if (s == 0) 4052 return -EINVAL; 4053 return 0; 4054 } 4055 4056 /** 4057 * smack_sock_graft - Initialize a newly created socket with an existing sock 4058 * @sk: child sock 4059 * @parent: parent socket 4060 * 4061 * Set the smk_{in,out} state of an existing sock based on the process that 4062 * is creating the new socket. 4063 */ 4064 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4065 { 4066 struct socket_smack *ssp; 4067 struct smack_known *skp = smk_of_current(); 4068 4069 if (sk == NULL || 4070 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4071 return; 4072 4073 ssp = sk->sk_security; 4074 ssp->smk_in = skp; 4075 ssp->smk_out = skp; 4076 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4077 } 4078 4079 /** 4080 * smack_inet_conn_request - Smack access check on connect 4081 * @sk: socket involved 4082 * @skb: packet 4083 * @req: unused 4084 * 4085 * Returns 0 if a task with the packet label could write to 4086 * the socket, otherwise an error code 4087 */ 4088 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4089 struct request_sock *req) 4090 { 4091 u16 family = sk->sk_family; 4092 struct smack_known *skp; 4093 struct socket_smack *ssp = sk->sk_security; 4094 struct netlbl_lsm_secattr secattr; 4095 struct sockaddr_in addr; 4096 struct iphdr *hdr; 4097 struct smack_known *hskp; 4098 int rc; 4099 struct smk_audit_info ad; 4100 #ifdef CONFIG_AUDIT 4101 struct lsm_network_audit net; 4102 #endif 4103 4104 #if IS_ENABLED(CONFIG_IPV6) 4105 if (family == PF_INET6) { 4106 /* 4107 * Handle mapped IPv4 packets arriving 4108 * via IPv6 sockets. Don't set up netlabel 4109 * processing on IPv6. 4110 */ 4111 if (skb->protocol == htons(ETH_P_IP)) 4112 family = PF_INET; 4113 else 4114 return 0; 4115 } 4116 #endif /* CONFIG_IPV6 */ 4117 4118 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4119 /* 4120 * If there is a secmark use it rather than the CIPSO label. 4121 * If there is no secmark fall back to CIPSO. 4122 * The secmark is assumed to reflect policy better. 4123 */ 4124 if (skb && skb->secmark != 0) { 4125 skp = smack_from_secid(skb->secmark); 4126 goto access_check; 4127 } 4128 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4129 4130 netlbl_secattr_init(&secattr); 4131 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4132 if (rc == 0) 4133 skp = smack_from_secattr(&secattr, ssp); 4134 else 4135 skp = &smack_known_huh; 4136 netlbl_secattr_destroy(&secattr); 4137 4138 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4139 access_check: 4140 #endif 4141 4142 #ifdef CONFIG_AUDIT 4143 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4144 ad.a.u.net->family = family; 4145 ad.a.u.net->netif = skb->skb_iif; 4146 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4147 #endif 4148 /* 4149 * Receiving a packet requires that the other end be able to write 4150 * here. Read access is not required. 4151 */ 4152 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4153 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4154 if (rc != 0) 4155 return rc; 4156 4157 /* 4158 * Save the peer's label in the request_sock so we can later setup 4159 * smk_packet in the child socket so that SO_PEERCRED can report it. 4160 */ 4161 req->peer_secid = skp->smk_secid; 4162 4163 /* 4164 * We need to decide if we want to label the incoming connection here 4165 * if we do we only need to label the request_sock and the stack will 4166 * propagate the wire-label to the sock when it is created. 4167 */ 4168 hdr = ip_hdr(skb); 4169 addr.sin_addr.s_addr = hdr->saddr; 4170 rcu_read_lock(); 4171 hskp = smack_ipv4host_label(&addr); 4172 rcu_read_unlock(); 4173 4174 if (hskp == NULL) 4175 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4176 else 4177 netlbl_req_delattr(req); 4178 4179 return rc; 4180 } 4181 4182 /** 4183 * smack_inet_csk_clone - Copy the connection information to the new socket 4184 * @sk: the new socket 4185 * @req: the connection's request_sock 4186 * 4187 * Transfer the connection's peer label to the newly created socket. 4188 */ 4189 static void smack_inet_csk_clone(struct sock *sk, 4190 const struct request_sock *req) 4191 { 4192 struct socket_smack *ssp = sk->sk_security; 4193 struct smack_known *skp; 4194 4195 if (req->peer_secid != 0) { 4196 skp = smack_from_secid(req->peer_secid); 4197 ssp->smk_packet = skp; 4198 } else 4199 ssp->smk_packet = NULL; 4200 } 4201 4202 /* 4203 * Key management security hooks 4204 * 4205 * Casey has not tested key support very heavily. 4206 * The permission check is most likely too restrictive. 4207 * If you care about keys please have a look. 4208 */ 4209 #ifdef CONFIG_KEYS 4210 4211 /** 4212 * smack_key_alloc - Set the key security blob 4213 * @key: object 4214 * @cred: the credentials to use 4215 * @flags: unused 4216 * 4217 * No allocation required 4218 * 4219 * Returns 0 4220 */ 4221 static int smack_key_alloc(struct key *key, const struct cred *cred, 4222 unsigned long flags) 4223 { 4224 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4225 4226 key->security = skp; 4227 return 0; 4228 } 4229 4230 /** 4231 * smack_key_free - Clear the key security blob 4232 * @key: the object 4233 * 4234 * Clear the blob pointer 4235 */ 4236 static void smack_key_free(struct key *key) 4237 { 4238 key->security = NULL; 4239 } 4240 4241 /** 4242 * smack_key_permission - Smack access on a key 4243 * @key_ref: gets to the object 4244 * @cred: the credentials to use 4245 * @perm: requested key permissions 4246 * 4247 * Return 0 if the task has read and write to the object, 4248 * an error code otherwise 4249 */ 4250 static int smack_key_permission(key_ref_t key_ref, 4251 const struct cred *cred, unsigned perm) 4252 { 4253 struct key *keyp; 4254 struct smk_audit_info ad; 4255 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4256 int request = 0; 4257 int rc; 4258 4259 /* 4260 * Validate requested permissions 4261 */ 4262 if (perm & ~KEY_NEED_ALL) 4263 return -EINVAL; 4264 4265 keyp = key_ref_to_ptr(key_ref); 4266 if (keyp == NULL) 4267 return -EINVAL; 4268 /* 4269 * If the key hasn't been initialized give it access so that 4270 * it may do so. 4271 */ 4272 if (keyp->security == NULL) 4273 return 0; 4274 /* 4275 * This should not occur 4276 */ 4277 if (tkp == NULL) 4278 return -EACCES; 4279 4280 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4281 return 0; 4282 4283 #ifdef CONFIG_AUDIT 4284 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4285 ad.a.u.key_struct.key = keyp->serial; 4286 ad.a.u.key_struct.key_desc = keyp->description; 4287 #endif 4288 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4289 request |= MAY_READ; 4290 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4291 request |= MAY_WRITE; 4292 rc = smk_access(tkp, keyp->security, request, &ad); 4293 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4294 return rc; 4295 } 4296 4297 /* 4298 * smack_key_getsecurity - Smack label tagging the key 4299 * @key points to the key to be queried 4300 * @_buffer points to a pointer that should be set to point to the 4301 * resulting string (if no label or an error occurs). 4302 * Return the length of the string (including terminating NUL) or -ve if 4303 * an error. 4304 * May also return 0 (and a NULL buffer pointer) if there is no label. 4305 */ 4306 static int smack_key_getsecurity(struct key *key, char **_buffer) 4307 { 4308 struct smack_known *skp = key->security; 4309 size_t length; 4310 char *copy; 4311 4312 if (key->security == NULL) { 4313 *_buffer = NULL; 4314 return 0; 4315 } 4316 4317 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4318 if (copy == NULL) 4319 return -ENOMEM; 4320 length = strlen(copy) + 1; 4321 4322 *_buffer = copy; 4323 return length; 4324 } 4325 4326 #endif /* CONFIG_KEYS */ 4327 4328 /* 4329 * Smack Audit hooks 4330 * 4331 * Audit requires a unique representation of each Smack specific 4332 * rule. This unique representation is used to distinguish the 4333 * object to be audited from remaining kernel objects and also 4334 * works as a glue between the audit hooks. 4335 * 4336 * Since repository entries are added but never deleted, we'll use 4337 * the smack_known label address related to the given audit rule as 4338 * the needed unique representation. This also better fits the smack 4339 * model where nearly everything is a label. 4340 */ 4341 #ifdef CONFIG_AUDIT 4342 4343 /** 4344 * smack_audit_rule_init - Initialize a smack audit rule 4345 * @field: audit rule fields given from user-space (audit.h) 4346 * @op: required testing operator (=, !=, >, <, ...) 4347 * @rulestr: smack label to be audited 4348 * @vrule: pointer to save our own audit rule representation 4349 * 4350 * Prepare to audit cases where (@field @op @rulestr) is true. 4351 * The label to be audited is created if necessay. 4352 */ 4353 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4354 { 4355 struct smack_known *skp; 4356 char **rule = (char **)vrule; 4357 *rule = NULL; 4358 4359 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4360 return -EINVAL; 4361 4362 if (op != Audit_equal && op != Audit_not_equal) 4363 return -EINVAL; 4364 4365 skp = smk_import_entry(rulestr, 0); 4366 if (IS_ERR(skp)) 4367 return PTR_ERR(skp); 4368 4369 *rule = skp->smk_known; 4370 4371 return 0; 4372 } 4373 4374 /** 4375 * smack_audit_rule_known - Distinguish Smack audit rules 4376 * @krule: rule of interest, in Audit kernel representation format 4377 * 4378 * This is used to filter Smack rules from remaining Audit ones. 4379 * If it's proved that this rule belongs to us, the 4380 * audit_rule_match hook will be called to do the final judgement. 4381 */ 4382 static int smack_audit_rule_known(struct audit_krule *krule) 4383 { 4384 struct audit_field *f; 4385 int i; 4386 4387 for (i = 0; i < krule->field_count; i++) { 4388 f = &krule->fields[i]; 4389 4390 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4391 return 1; 4392 } 4393 4394 return 0; 4395 } 4396 4397 /** 4398 * smack_audit_rule_match - Audit given object ? 4399 * @secid: security id for identifying the object to test 4400 * @field: audit rule flags given from user-space 4401 * @op: required testing operator 4402 * @vrule: smack internal rule presentation 4403 * 4404 * The core Audit hook. It's used to take the decision of 4405 * whether to audit or not to audit a given object. 4406 */ 4407 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4408 { 4409 struct smack_known *skp; 4410 char *rule = vrule; 4411 4412 if (unlikely(!rule)) { 4413 WARN_ONCE(1, "Smack: missing rule\n"); 4414 return -ENOENT; 4415 } 4416 4417 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4418 return 0; 4419 4420 skp = smack_from_secid(secid); 4421 4422 /* 4423 * No need to do string comparisons. If a match occurs, 4424 * both pointers will point to the same smack_known 4425 * label. 4426 */ 4427 if (op == Audit_equal) 4428 return (rule == skp->smk_known); 4429 if (op == Audit_not_equal) 4430 return (rule != skp->smk_known); 4431 4432 return 0; 4433 } 4434 4435 /* 4436 * There is no need for a smack_audit_rule_free hook. 4437 * No memory was allocated. 4438 */ 4439 4440 #endif /* CONFIG_AUDIT */ 4441 4442 /** 4443 * smack_ismaclabel - check if xattr @name references a smack MAC label 4444 * @name: Full xattr name to check. 4445 */ 4446 static int smack_ismaclabel(const char *name) 4447 { 4448 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4449 } 4450 4451 4452 /** 4453 * smack_secid_to_secctx - return the smack label for a secid 4454 * @secid: incoming integer 4455 * @secdata: destination 4456 * @seclen: how long it is 4457 * 4458 * Exists for networking code. 4459 */ 4460 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4461 { 4462 struct smack_known *skp = smack_from_secid(secid); 4463 4464 if (secdata) 4465 *secdata = skp->smk_known; 4466 *seclen = strlen(skp->smk_known); 4467 return 0; 4468 } 4469 4470 /** 4471 * smack_secctx_to_secid - return the secid for a smack label 4472 * @secdata: smack label 4473 * @seclen: how long result is 4474 * @secid: outgoing integer 4475 * 4476 * Exists for audit and networking code. 4477 */ 4478 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4479 { 4480 struct smack_known *skp = smk_find_entry(secdata); 4481 4482 if (skp) 4483 *secid = skp->smk_secid; 4484 else 4485 *secid = 0; 4486 return 0; 4487 } 4488 4489 /* 4490 * There used to be a smack_release_secctx hook 4491 * that did nothing back when hooks were in a vector. 4492 * Now that there's a list such a hook adds cost. 4493 */ 4494 4495 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4496 { 4497 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4498 } 4499 4500 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4501 { 4502 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4503 } 4504 4505 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4506 { 4507 struct smack_known *skp = smk_of_inode(inode); 4508 4509 *ctx = skp->smk_known; 4510 *ctxlen = strlen(skp->smk_known); 4511 return 0; 4512 } 4513 4514 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4515 { 4516 4517 struct task_smack *tsp; 4518 struct smack_known *skp; 4519 struct inode_smack *isp; 4520 struct cred *new_creds = *new; 4521 4522 if (new_creds == NULL) { 4523 new_creds = prepare_creds(); 4524 if (new_creds == NULL) 4525 return -ENOMEM; 4526 } 4527 4528 tsp = smack_cred(new_creds); 4529 4530 /* 4531 * Get label from overlay inode and set it in create_sid 4532 */ 4533 isp = smack_inode(d_inode(dentry->d_parent)); 4534 skp = isp->smk_inode; 4535 tsp->smk_task = skp; 4536 *new = new_creds; 4537 return 0; 4538 } 4539 4540 static int smack_inode_copy_up_xattr(const char *name) 4541 { 4542 /* 4543 * Return 1 if this is the smack access Smack attribute. 4544 */ 4545 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4546 return 1; 4547 4548 return -EOPNOTSUPP; 4549 } 4550 4551 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4552 struct qstr *name, 4553 const struct cred *old, 4554 struct cred *new) 4555 { 4556 struct task_smack *otsp = smack_cred(old); 4557 struct task_smack *ntsp = smack_cred(new); 4558 struct inode_smack *isp; 4559 int may; 4560 4561 /* 4562 * Use the process credential unless all of 4563 * the transmuting criteria are met 4564 */ 4565 ntsp->smk_task = otsp->smk_task; 4566 4567 /* 4568 * the attribute of the containing directory 4569 */ 4570 isp = smack_inode(d_inode(dentry->d_parent)); 4571 4572 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4573 rcu_read_lock(); 4574 may = smk_access_entry(otsp->smk_task->smk_known, 4575 isp->smk_inode->smk_known, 4576 &otsp->smk_task->smk_rules); 4577 rcu_read_unlock(); 4578 4579 /* 4580 * If the directory is transmuting and the rule 4581 * providing access is transmuting use the containing 4582 * directory label instead of the process label. 4583 */ 4584 if (may > 0 && (may & MAY_TRANSMUTE)) 4585 ntsp->smk_task = isp->smk_inode; 4586 } 4587 return 0; 4588 } 4589 4590 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4591 .lbs_cred = sizeof(struct task_smack), 4592 .lbs_file = sizeof(struct smack_known *), 4593 .lbs_inode = sizeof(struct inode_smack), 4594 .lbs_ipc = sizeof(struct smack_known *), 4595 .lbs_msg_msg = sizeof(struct smack_known *), 4596 }; 4597 4598 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4599 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4600 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4601 LSM_HOOK_INIT(syslog, smack_syslog), 4602 4603 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4604 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4605 4606 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4607 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4608 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4609 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4610 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4611 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4612 4613 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4614 4615 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4616 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4617 LSM_HOOK_INIT(inode_link, smack_inode_link), 4618 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4619 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4620 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4621 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4622 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4623 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4624 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4625 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4626 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4627 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4628 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4629 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4630 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4631 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4632 4633 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4634 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4635 LSM_HOOK_INIT(file_lock, smack_file_lock), 4636 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4637 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4638 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4639 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4640 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4641 LSM_HOOK_INIT(file_receive, smack_file_receive), 4642 4643 LSM_HOOK_INIT(file_open, smack_file_open), 4644 4645 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4646 LSM_HOOK_INIT(cred_free, smack_cred_free), 4647 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4648 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4649 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4650 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4651 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4652 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4653 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4654 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4655 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4656 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4657 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4658 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4659 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4660 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4661 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4662 LSM_HOOK_INIT(task_kill, smack_task_kill), 4663 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4664 4665 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4666 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4667 4668 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4669 4670 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4671 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4672 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4673 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4674 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4675 4676 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4677 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4678 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4679 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4680 4681 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4682 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4683 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4684 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4685 4686 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4687 4688 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4689 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4690 4691 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4692 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4693 4694 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4695 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4696 #ifdef SMACK_IPV6_PORT_LABELING 4697 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4698 #endif 4699 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4700 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4701 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4702 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4703 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4704 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4705 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4706 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4707 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4708 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4709 4710 /* key management security hooks */ 4711 #ifdef CONFIG_KEYS 4712 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4713 LSM_HOOK_INIT(key_free, smack_key_free), 4714 LSM_HOOK_INIT(key_permission, smack_key_permission), 4715 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4716 #endif /* CONFIG_KEYS */ 4717 4718 /* Audit hooks */ 4719 #ifdef CONFIG_AUDIT 4720 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4721 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4722 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4723 #endif /* CONFIG_AUDIT */ 4724 4725 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4726 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4727 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4728 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4729 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4730 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4731 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4732 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4733 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4734 }; 4735 4736 4737 static __init void init_smack_known_list(void) 4738 { 4739 /* 4740 * Initialize rule list locks 4741 */ 4742 mutex_init(&smack_known_huh.smk_rules_lock); 4743 mutex_init(&smack_known_hat.smk_rules_lock); 4744 mutex_init(&smack_known_floor.smk_rules_lock); 4745 mutex_init(&smack_known_star.smk_rules_lock); 4746 mutex_init(&smack_known_web.smk_rules_lock); 4747 /* 4748 * Initialize rule lists 4749 */ 4750 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4751 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4752 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4753 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4754 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4755 /* 4756 * Create the known labels list 4757 */ 4758 smk_insert_entry(&smack_known_huh); 4759 smk_insert_entry(&smack_known_hat); 4760 smk_insert_entry(&smack_known_star); 4761 smk_insert_entry(&smack_known_floor); 4762 smk_insert_entry(&smack_known_web); 4763 } 4764 4765 /** 4766 * smack_init - initialize the smack system 4767 * 4768 * Returns 0 4769 */ 4770 static __init int smack_init(void) 4771 { 4772 struct cred *cred = (struct cred *) current->cred; 4773 struct task_smack *tsp; 4774 4775 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4776 if (!smack_inode_cache) 4777 return -ENOMEM; 4778 4779 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4780 if (!smack_rule_cache) { 4781 kmem_cache_destroy(smack_inode_cache); 4782 return -ENOMEM; 4783 } 4784 4785 /* 4786 * Set the security state for the initial task. 4787 */ 4788 tsp = smack_cred(cred); 4789 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4790 4791 /* 4792 * Register with LSM 4793 */ 4794 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4795 smack_enabled = 1; 4796 4797 pr_info("Smack: Initializing.\n"); 4798 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4799 pr_info("Smack: Netfilter enabled.\n"); 4800 #endif 4801 #ifdef SMACK_IPV6_PORT_LABELING 4802 pr_info("Smack: IPv6 port labeling enabled.\n"); 4803 #endif 4804 #ifdef SMACK_IPV6_SECMARK_LABELING 4805 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4806 #endif 4807 4808 /* initialize the smack_known_list */ 4809 init_smack_known_list(); 4810 4811 return 0; 4812 } 4813 4814 /* 4815 * Smack requires early initialization in order to label 4816 * all processes and objects when they are created. 4817 */ 4818 DEFINE_LSM(smack) = { 4819 .name = "smack", 4820 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4821 .blobs = &smack_blob_sizes, 4822 .init = smack_init, 4823 }; 4824