1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/slab.h> 31 #include <linux/mutex.h> 32 #include <linux/pipe_fs_i.h> 33 #include <net/netlabel.h> 34 #include <net/cipso_ipv4.h> 35 #include <linux/audit.h> 36 #include <linux/magic.h> 37 #include <linux/dcache.h> 38 #include <linux/personality.h> 39 #include "smack.h" 40 41 #define task_security(task) (task_cred_xxx((task), security)) 42 43 #define TRANS_TRUE "TRUE" 44 #define TRANS_TRUE_SIZE 4 45 46 /** 47 * smk_fetch - Fetch the smack label from a file. 48 * @ip: a pointer to the inode 49 * @dp: a pointer to the dentry 50 * 51 * Returns a pointer to the master list entry for the Smack label 52 * or NULL if there was no label to fetch. 53 */ 54 static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) 55 { 56 int rc; 57 char in[SMK_LABELLEN]; 58 59 if (ip->i_op->getxattr == NULL) 60 return NULL; 61 62 rc = ip->i_op->getxattr(dp, name, in, SMK_LABELLEN); 63 if (rc < 0) 64 return NULL; 65 66 return smk_import(in, rc); 67 } 68 69 /** 70 * new_inode_smack - allocate an inode security blob 71 * @smack: a pointer to the Smack label to use in the blob 72 * 73 * Returns the new blob or NULL if there's no memory available 74 */ 75 struct inode_smack *new_inode_smack(char *smack) 76 { 77 struct inode_smack *isp; 78 79 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 80 if (isp == NULL) 81 return NULL; 82 83 isp->smk_inode = smack; 84 isp->smk_flags = 0; 85 mutex_init(&isp->smk_lock); 86 87 return isp; 88 } 89 90 /** 91 * new_task_smack - allocate a task security blob 92 * @smack: a pointer to the Smack label to use in the blob 93 * 94 * Returns the new blob or NULL if there's no memory available 95 */ 96 static struct task_smack *new_task_smack(char *task, char *forked, gfp_t gfp) 97 { 98 struct task_smack *tsp; 99 100 tsp = kzalloc(sizeof(struct task_smack), gfp); 101 if (tsp == NULL) 102 return NULL; 103 104 tsp->smk_task = task; 105 tsp->smk_forked = forked; 106 INIT_LIST_HEAD(&tsp->smk_rules); 107 mutex_init(&tsp->smk_rules_lock); 108 109 return tsp; 110 } 111 112 /** 113 * smk_copy_rules - copy a rule set 114 * @nhead - new rules header pointer 115 * @ohead - old rules header pointer 116 * 117 * Returns 0 on success, -ENOMEM on error 118 */ 119 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 120 gfp_t gfp) 121 { 122 struct smack_rule *nrp; 123 struct smack_rule *orp; 124 int rc = 0; 125 126 INIT_LIST_HEAD(nhead); 127 128 list_for_each_entry_rcu(orp, ohead, list) { 129 nrp = kzalloc(sizeof(struct smack_rule), gfp); 130 if (nrp == NULL) { 131 rc = -ENOMEM; 132 break; 133 } 134 *nrp = *orp; 135 list_add_rcu(&nrp->list, nhead); 136 } 137 return rc; 138 } 139 140 /* 141 * LSM hooks. 142 * We he, that is fun! 143 */ 144 145 /** 146 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 147 * @ctp: child task pointer 148 * @mode: ptrace attachment mode 149 * 150 * Returns 0 if access is OK, an error code otherwise 151 * 152 * Do the capability checks, and require read and write. 153 */ 154 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 155 { 156 int rc; 157 struct smk_audit_info ad; 158 char *tsp; 159 160 rc = cap_ptrace_access_check(ctp, mode); 161 if (rc != 0) 162 return rc; 163 164 tsp = smk_of_task(task_security(ctp)); 165 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 166 smk_ad_setfield_u_tsk(&ad, ctp); 167 168 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 169 return rc; 170 } 171 172 /** 173 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 174 * @ptp: parent task pointer 175 * 176 * Returns 0 if access is OK, an error code otherwise 177 * 178 * Do the capability checks, and require read and write. 179 */ 180 static int smack_ptrace_traceme(struct task_struct *ptp) 181 { 182 int rc; 183 struct smk_audit_info ad; 184 char *tsp; 185 186 rc = cap_ptrace_traceme(ptp); 187 if (rc != 0) 188 return rc; 189 190 tsp = smk_of_task(task_security(ptp)); 191 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 192 smk_ad_setfield_u_tsk(&ad, ptp); 193 194 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 195 return rc; 196 } 197 198 /** 199 * smack_syslog - Smack approval on syslog 200 * @type: message type 201 * 202 * Require that the task has the floor label 203 * 204 * Returns 0 on success, error code otherwise. 205 */ 206 static int smack_syslog(int typefrom_file) 207 { 208 int rc = 0; 209 char *sp = smk_of_current(); 210 211 if (capable(CAP_MAC_OVERRIDE)) 212 return 0; 213 214 if (sp != smack_known_floor.smk_known) 215 rc = -EACCES; 216 217 return rc; 218 } 219 220 221 /* 222 * Superblock Hooks. 223 */ 224 225 /** 226 * smack_sb_alloc_security - allocate a superblock blob 227 * @sb: the superblock getting the blob 228 * 229 * Returns 0 on success or -ENOMEM on error. 230 */ 231 static int smack_sb_alloc_security(struct super_block *sb) 232 { 233 struct superblock_smack *sbsp; 234 235 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 236 237 if (sbsp == NULL) 238 return -ENOMEM; 239 240 sbsp->smk_root = smack_known_floor.smk_known; 241 sbsp->smk_default = smack_known_floor.smk_known; 242 sbsp->smk_floor = smack_known_floor.smk_known; 243 sbsp->smk_hat = smack_known_hat.smk_known; 244 sbsp->smk_initialized = 0; 245 spin_lock_init(&sbsp->smk_sblock); 246 247 sb->s_security = sbsp; 248 249 return 0; 250 } 251 252 /** 253 * smack_sb_free_security - free a superblock blob 254 * @sb: the superblock getting the blob 255 * 256 */ 257 static void smack_sb_free_security(struct super_block *sb) 258 { 259 kfree(sb->s_security); 260 sb->s_security = NULL; 261 } 262 263 /** 264 * smack_sb_copy_data - copy mount options data for processing 265 * @orig: where to start 266 * @smackopts: mount options string 267 * 268 * Returns 0 on success or -ENOMEM on error. 269 * 270 * Copy the Smack specific mount options out of the mount 271 * options list. 272 */ 273 static int smack_sb_copy_data(char *orig, char *smackopts) 274 { 275 char *cp, *commap, *otheropts, *dp; 276 277 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 278 if (otheropts == NULL) 279 return -ENOMEM; 280 281 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 282 if (strstr(cp, SMK_FSDEFAULT) == cp) 283 dp = smackopts; 284 else if (strstr(cp, SMK_FSFLOOR) == cp) 285 dp = smackopts; 286 else if (strstr(cp, SMK_FSHAT) == cp) 287 dp = smackopts; 288 else if (strstr(cp, SMK_FSROOT) == cp) 289 dp = smackopts; 290 else 291 dp = otheropts; 292 293 commap = strchr(cp, ','); 294 if (commap != NULL) 295 *commap = '\0'; 296 297 if (*dp != '\0') 298 strcat(dp, ","); 299 strcat(dp, cp); 300 } 301 302 strcpy(orig, otheropts); 303 free_page((unsigned long)otheropts); 304 305 return 0; 306 } 307 308 /** 309 * smack_sb_kern_mount - Smack specific mount processing 310 * @sb: the file system superblock 311 * @flags: the mount flags 312 * @data: the smack mount options 313 * 314 * Returns 0 on success, an error code on failure 315 */ 316 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 317 { 318 struct dentry *root = sb->s_root; 319 struct inode *inode = root->d_inode; 320 struct superblock_smack *sp = sb->s_security; 321 struct inode_smack *isp; 322 char *op; 323 char *commap; 324 char *nsp; 325 326 spin_lock(&sp->smk_sblock); 327 if (sp->smk_initialized != 0) { 328 spin_unlock(&sp->smk_sblock); 329 return 0; 330 } 331 sp->smk_initialized = 1; 332 spin_unlock(&sp->smk_sblock); 333 334 for (op = data; op != NULL; op = commap) { 335 commap = strchr(op, ','); 336 if (commap != NULL) 337 *commap++ = '\0'; 338 339 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 340 op += strlen(SMK_FSHAT); 341 nsp = smk_import(op, 0); 342 if (nsp != NULL) 343 sp->smk_hat = nsp; 344 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 345 op += strlen(SMK_FSFLOOR); 346 nsp = smk_import(op, 0); 347 if (nsp != NULL) 348 sp->smk_floor = nsp; 349 } else if (strncmp(op, SMK_FSDEFAULT, 350 strlen(SMK_FSDEFAULT)) == 0) { 351 op += strlen(SMK_FSDEFAULT); 352 nsp = smk_import(op, 0); 353 if (nsp != NULL) 354 sp->smk_default = nsp; 355 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 356 op += strlen(SMK_FSROOT); 357 nsp = smk_import(op, 0); 358 if (nsp != NULL) 359 sp->smk_root = nsp; 360 } 361 } 362 363 /* 364 * Initialize the root inode. 365 */ 366 isp = inode->i_security; 367 if (isp == NULL) 368 inode->i_security = new_inode_smack(sp->smk_root); 369 else 370 isp->smk_inode = sp->smk_root; 371 372 return 0; 373 } 374 375 /** 376 * smack_sb_statfs - Smack check on statfs 377 * @dentry: identifies the file system in question 378 * 379 * Returns 0 if current can read the floor of the filesystem, 380 * and error code otherwise 381 */ 382 static int smack_sb_statfs(struct dentry *dentry) 383 { 384 struct superblock_smack *sbp = dentry->d_sb->s_security; 385 int rc; 386 struct smk_audit_info ad; 387 388 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 389 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 390 391 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 392 return rc; 393 } 394 395 /** 396 * smack_sb_mount - Smack check for mounting 397 * @dev_name: unused 398 * @path: mount point 399 * @type: unused 400 * @flags: unused 401 * @data: unused 402 * 403 * Returns 0 if current can write the floor of the filesystem 404 * being mounted on, an error code otherwise. 405 */ 406 static int smack_sb_mount(char *dev_name, struct path *path, 407 char *type, unsigned long flags, void *data) 408 { 409 struct superblock_smack *sbp = path->dentry->d_sb->s_security; 410 struct smk_audit_info ad; 411 412 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 413 smk_ad_setfield_u_fs_path(&ad, *path); 414 415 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 416 } 417 418 /** 419 * smack_sb_umount - Smack check for unmounting 420 * @mnt: file system to unmount 421 * @flags: unused 422 * 423 * Returns 0 if current can write the floor of the filesystem 424 * being unmounted, an error code otherwise. 425 */ 426 static int smack_sb_umount(struct vfsmount *mnt, int flags) 427 { 428 struct superblock_smack *sbp; 429 struct smk_audit_info ad; 430 struct path path; 431 432 path.dentry = mnt->mnt_root; 433 path.mnt = mnt; 434 435 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 436 smk_ad_setfield_u_fs_path(&ad, path); 437 438 sbp = path.dentry->d_sb->s_security; 439 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 440 } 441 442 /* 443 * BPRM hooks 444 */ 445 446 /** 447 * smack_bprm_set_creds - set creds for exec 448 * @bprm: the exec information 449 * 450 * Returns 0 if it gets a blob, -ENOMEM otherwise 451 */ 452 static int smack_bprm_set_creds(struct linux_binprm *bprm) 453 { 454 struct inode *inode = bprm->file->f_path.dentry->d_inode; 455 struct task_smack *bsp = bprm->cred->security; 456 struct inode_smack *isp; 457 int rc; 458 459 rc = cap_bprm_set_creds(bprm); 460 if (rc != 0) 461 return rc; 462 463 if (bprm->cred_prepared) 464 return 0; 465 466 isp = inode->i_security; 467 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 468 return 0; 469 470 if (bprm->unsafe) 471 return -EPERM; 472 473 bsp->smk_task = isp->smk_task; 474 bprm->per_clear |= PER_CLEAR_ON_SETID; 475 476 return 0; 477 } 478 479 /** 480 * smack_bprm_committing_creds - Prepare to install the new credentials 481 * from bprm. 482 * 483 * @bprm: binprm for exec 484 */ 485 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 486 { 487 struct task_smack *bsp = bprm->cred->security; 488 489 if (bsp->smk_task != bsp->smk_forked) 490 current->pdeath_signal = 0; 491 } 492 493 /** 494 * smack_bprm_secureexec - Return the decision to use secureexec. 495 * @bprm: binprm for exec 496 * 497 * Returns 0 on success. 498 */ 499 static int smack_bprm_secureexec(struct linux_binprm *bprm) 500 { 501 struct task_smack *tsp = current_security(); 502 int ret = cap_bprm_secureexec(bprm); 503 504 if (!ret && (tsp->smk_task != tsp->smk_forked)) 505 ret = 1; 506 507 return ret; 508 } 509 510 /* 511 * Inode hooks 512 */ 513 514 /** 515 * smack_inode_alloc_security - allocate an inode blob 516 * @inode: the inode in need of a blob 517 * 518 * Returns 0 if it gets a blob, -ENOMEM otherwise 519 */ 520 static int smack_inode_alloc_security(struct inode *inode) 521 { 522 inode->i_security = new_inode_smack(smk_of_current()); 523 if (inode->i_security == NULL) 524 return -ENOMEM; 525 return 0; 526 } 527 528 /** 529 * smack_inode_free_security - free an inode blob 530 * @inode: the inode with a blob 531 * 532 * Clears the blob pointer in inode 533 */ 534 static void smack_inode_free_security(struct inode *inode) 535 { 536 kfree(inode->i_security); 537 inode->i_security = NULL; 538 } 539 540 /** 541 * smack_inode_init_security - copy out the smack from an inode 542 * @inode: the inode 543 * @dir: unused 544 * @qstr: unused 545 * @name: where to put the attribute name 546 * @value: where to put the attribute value 547 * @len: where to put the length of the attribute 548 * 549 * Returns 0 if it all works out, -ENOMEM if there's no memory 550 */ 551 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 552 const struct qstr *qstr, char **name, 553 void **value, size_t *len) 554 { 555 struct smack_known *skp; 556 char *csp = smk_of_current(); 557 char *isp = smk_of_inode(inode); 558 char *dsp = smk_of_inode(dir); 559 int may; 560 561 if (name) { 562 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 563 if (*name == NULL) 564 return -ENOMEM; 565 } 566 567 if (value) { 568 skp = smk_find_entry(csp); 569 rcu_read_lock(); 570 may = smk_access_entry(csp, dsp, &skp->smk_rules); 571 rcu_read_unlock(); 572 573 /* 574 * If the access rule allows transmutation and 575 * the directory requests transmutation then 576 * by all means transmute. 577 */ 578 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 579 smk_inode_transmutable(dir)) 580 isp = dsp; 581 582 *value = kstrdup(isp, GFP_KERNEL); 583 if (*value == NULL) 584 return -ENOMEM; 585 } 586 587 if (len) 588 *len = strlen(isp) + 1; 589 590 return 0; 591 } 592 593 /** 594 * smack_inode_link - Smack check on link 595 * @old_dentry: the existing object 596 * @dir: unused 597 * @new_dentry: the new object 598 * 599 * Returns 0 if access is permitted, an error code otherwise 600 */ 601 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 602 struct dentry *new_dentry) 603 { 604 char *isp; 605 struct smk_audit_info ad; 606 int rc; 607 608 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 609 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 610 611 isp = smk_of_inode(old_dentry->d_inode); 612 rc = smk_curacc(isp, MAY_WRITE, &ad); 613 614 if (rc == 0 && new_dentry->d_inode != NULL) { 615 isp = smk_of_inode(new_dentry->d_inode); 616 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 617 rc = smk_curacc(isp, MAY_WRITE, &ad); 618 } 619 620 return rc; 621 } 622 623 /** 624 * smack_inode_unlink - Smack check on inode deletion 625 * @dir: containing directory object 626 * @dentry: file to unlink 627 * 628 * Returns 0 if current can write the containing directory 629 * and the object, error code otherwise 630 */ 631 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 632 { 633 struct inode *ip = dentry->d_inode; 634 struct smk_audit_info ad; 635 int rc; 636 637 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 638 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 639 640 /* 641 * You need write access to the thing you're unlinking 642 */ 643 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 644 if (rc == 0) { 645 /* 646 * You also need write access to the containing directory 647 */ 648 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 649 smk_ad_setfield_u_fs_inode(&ad, dir); 650 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 651 } 652 return rc; 653 } 654 655 /** 656 * smack_inode_rmdir - Smack check on directory deletion 657 * @dir: containing directory object 658 * @dentry: directory to unlink 659 * 660 * Returns 0 if current can write the containing directory 661 * and the directory, error code otherwise 662 */ 663 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 664 { 665 struct smk_audit_info ad; 666 int rc; 667 668 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 669 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 670 671 /* 672 * You need write access to the thing you're removing 673 */ 674 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 675 if (rc == 0) { 676 /* 677 * You also need write access to the containing directory 678 */ 679 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 680 smk_ad_setfield_u_fs_inode(&ad, dir); 681 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 682 } 683 684 return rc; 685 } 686 687 /** 688 * smack_inode_rename - Smack check on rename 689 * @old_inode: the old directory 690 * @old_dentry: unused 691 * @new_inode: the new directory 692 * @new_dentry: unused 693 * 694 * Read and write access is required on both the old and 695 * new directories. 696 * 697 * Returns 0 if access is permitted, an error code otherwise 698 */ 699 static int smack_inode_rename(struct inode *old_inode, 700 struct dentry *old_dentry, 701 struct inode *new_inode, 702 struct dentry *new_dentry) 703 { 704 int rc; 705 char *isp; 706 struct smk_audit_info ad; 707 708 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 709 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 710 711 isp = smk_of_inode(old_dentry->d_inode); 712 rc = smk_curacc(isp, MAY_READWRITE, &ad); 713 714 if (rc == 0 && new_dentry->d_inode != NULL) { 715 isp = smk_of_inode(new_dentry->d_inode); 716 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 717 rc = smk_curacc(isp, MAY_READWRITE, &ad); 718 } 719 return rc; 720 } 721 722 /** 723 * smack_inode_permission - Smack version of permission() 724 * @inode: the inode in question 725 * @mask: the access requested 726 * 727 * This is the important Smack hook. 728 * 729 * Returns 0 if access is permitted, -EACCES otherwise 730 */ 731 static int smack_inode_permission(struct inode *inode, int mask) 732 { 733 struct smk_audit_info ad; 734 int no_block = mask & MAY_NOT_BLOCK; 735 736 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 737 /* 738 * No permission to check. Existence test. Yup, it's there. 739 */ 740 if (mask == 0) 741 return 0; 742 743 /* May be droppable after audit */ 744 if (no_block) 745 return -ECHILD; 746 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 747 smk_ad_setfield_u_fs_inode(&ad, inode); 748 return smk_curacc(smk_of_inode(inode), mask, &ad); 749 } 750 751 /** 752 * smack_inode_setattr - Smack check for setting attributes 753 * @dentry: the object 754 * @iattr: for the force flag 755 * 756 * Returns 0 if access is permitted, an error code otherwise 757 */ 758 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 759 { 760 struct smk_audit_info ad; 761 /* 762 * Need to allow for clearing the setuid bit. 763 */ 764 if (iattr->ia_valid & ATTR_FORCE) 765 return 0; 766 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 767 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 768 769 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 770 } 771 772 /** 773 * smack_inode_getattr - Smack check for getting attributes 774 * @mnt: unused 775 * @dentry: the object 776 * 777 * Returns 0 if access is permitted, an error code otherwise 778 */ 779 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 780 { 781 struct smk_audit_info ad; 782 struct path path; 783 784 path.dentry = dentry; 785 path.mnt = mnt; 786 787 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 788 smk_ad_setfield_u_fs_path(&ad, path); 789 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 790 } 791 792 /** 793 * smack_inode_setxattr - Smack check for setting xattrs 794 * @dentry: the object 795 * @name: name of the attribute 796 * @value: unused 797 * @size: unused 798 * @flags: unused 799 * 800 * This protects the Smack attribute explicitly. 801 * 802 * Returns 0 if access is permitted, an error code otherwise 803 */ 804 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 805 const void *value, size_t size, int flags) 806 { 807 struct smk_audit_info ad; 808 int rc = 0; 809 810 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 811 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 812 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 813 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 814 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 815 if (!capable(CAP_MAC_ADMIN)) 816 rc = -EPERM; 817 /* 818 * check label validity here so import wont fail on 819 * post_setxattr 820 */ 821 if (size == 0 || size >= SMK_LABELLEN || 822 smk_import(value, size) == NULL) 823 rc = -EINVAL; 824 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 825 if (!capable(CAP_MAC_ADMIN)) 826 rc = -EPERM; 827 if (size != TRANS_TRUE_SIZE || 828 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 829 rc = -EINVAL; 830 } else 831 rc = cap_inode_setxattr(dentry, name, value, size, flags); 832 833 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 834 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 835 836 if (rc == 0) 837 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 838 839 return rc; 840 } 841 842 /** 843 * smack_inode_post_setxattr - Apply the Smack update approved above 844 * @dentry: object 845 * @name: attribute name 846 * @value: attribute value 847 * @size: attribute size 848 * @flags: unused 849 * 850 * Set the pointer in the inode blob to the entry found 851 * in the master label list. 852 */ 853 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 854 const void *value, size_t size, int flags) 855 { 856 char *nsp; 857 struct inode_smack *isp = dentry->d_inode->i_security; 858 859 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 860 nsp = smk_import(value, size); 861 if (nsp != NULL) 862 isp->smk_inode = nsp; 863 else 864 isp->smk_inode = smack_known_invalid.smk_known; 865 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 866 nsp = smk_import(value, size); 867 if (nsp != NULL) 868 isp->smk_task = nsp; 869 else 870 isp->smk_task = smack_known_invalid.smk_known; 871 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 872 nsp = smk_import(value, size); 873 if (nsp != NULL) 874 isp->smk_mmap = nsp; 875 else 876 isp->smk_mmap = smack_known_invalid.smk_known; 877 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 878 isp->smk_flags |= SMK_INODE_TRANSMUTE; 879 880 return; 881 } 882 883 /** 884 * smack_inode_getxattr - Smack check on getxattr 885 * @dentry: the object 886 * @name: unused 887 * 888 * Returns 0 if access is permitted, an error code otherwise 889 */ 890 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 891 { 892 struct smk_audit_info ad; 893 894 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 895 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 896 897 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 898 } 899 900 /** 901 * smack_inode_removexattr - Smack check on removexattr 902 * @dentry: the object 903 * @name: name of the attribute 904 * 905 * Removing the Smack attribute requires CAP_MAC_ADMIN 906 * 907 * Returns 0 if access is permitted, an error code otherwise 908 */ 909 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 910 { 911 struct inode_smack *isp; 912 struct smk_audit_info ad; 913 int rc = 0; 914 915 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 916 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 917 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 918 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 919 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 920 strcmp(name, XATTR_NAME_SMACKMMAP)) { 921 if (!capable(CAP_MAC_ADMIN)) 922 rc = -EPERM; 923 } else 924 rc = cap_inode_removexattr(dentry, name); 925 926 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 927 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 928 if (rc == 0) 929 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 930 931 if (rc == 0) { 932 isp = dentry->d_inode->i_security; 933 isp->smk_task = NULL; 934 isp->smk_mmap = NULL; 935 } 936 937 return rc; 938 } 939 940 /** 941 * smack_inode_getsecurity - get smack xattrs 942 * @inode: the object 943 * @name: attribute name 944 * @buffer: where to put the result 945 * @alloc: unused 946 * 947 * Returns the size of the attribute or an error code 948 */ 949 static int smack_inode_getsecurity(const struct inode *inode, 950 const char *name, void **buffer, 951 bool alloc) 952 { 953 struct socket_smack *ssp; 954 struct socket *sock; 955 struct super_block *sbp; 956 struct inode *ip = (struct inode *)inode; 957 char *isp; 958 int ilen; 959 int rc = 0; 960 961 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 962 isp = smk_of_inode(inode); 963 ilen = strlen(isp) + 1; 964 *buffer = isp; 965 return ilen; 966 } 967 968 /* 969 * The rest of the Smack xattrs are only on sockets. 970 */ 971 sbp = ip->i_sb; 972 if (sbp->s_magic != SOCKFS_MAGIC) 973 return -EOPNOTSUPP; 974 975 sock = SOCKET_I(ip); 976 if (sock == NULL || sock->sk == NULL) 977 return -EOPNOTSUPP; 978 979 ssp = sock->sk->sk_security; 980 981 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 982 isp = ssp->smk_in; 983 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 984 isp = ssp->smk_out; 985 else 986 return -EOPNOTSUPP; 987 988 ilen = strlen(isp) + 1; 989 if (rc == 0) { 990 *buffer = isp; 991 rc = ilen; 992 } 993 994 return rc; 995 } 996 997 998 /** 999 * smack_inode_listsecurity - list the Smack attributes 1000 * @inode: the object 1001 * @buffer: where they go 1002 * @buffer_size: size of buffer 1003 * 1004 * Returns 0 on success, -EINVAL otherwise 1005 */ 1006 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1007 size_t buffer_size) 1008 { 1009 int len = strlen(XATTR_NAME_SMACK); 1010 1011 if (buffer != NULL && len <= buffer_size) { 1012 memcpy(buffer, XATTR_NAME_SMACK, len); 1013 return len; 1014 } 1015 return -EINVAL; 1016 } 1017 1018 /** 1019 * smack_inode_getsecid - Extract inode's security id 1020 * @inode: inode to extract the info from 1021 * @secid: where result will be saved 1022 */ 1023 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 1024 { 1025 struct inode_smack *isp = inode->i_security; 1026 1027 *secid = smack_to_secid(isp->smk_inode); 1028 } 1029 1030 /* 1031 * File Hooks 1032 */ 1033 1034 /** 1035 * smack_file_permission - Smack check on file operations 1036 * @file: unused 1037 * @mask: unused 1038 * 1039 * Returns 0 1040 * 1041 * Should access checks be done on each read or write? 1042 * UNICOS and SELinux say yes. 1043 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1044 * 1045 * I'll say no for now. Smack does not do the frequent 1046 * label changing that SELinux does. 1047 */ 1048 static int smack_file_permission(struct file *file, int mask) 1049 { 1050 return 0; 1051 } 1052 1053 /** 1054 * smack_file_alloc_security - assign a file security blob 1055 * @file: the object 1056 * 1057 * The security blob for a file is a pointer to the master 1058 * label list, so no allocation is done. 1059 * 1060 * Returns 0 1061 */ 1062 static int smack_file_alloc_security(struct file *file) 1063 { 1064 file->f_security = smk_of_current(); 1065 return 0; 1066 } 1067 1068 /** 1069 * smack_file_free_security - clear a file security blob 1070 * @file: the object 1071 * 1072 * The security blob for a file is a pointer to the master 1073 * label list, so no memory is freed. 1074 */ 1075 static void smack_file_free_security(struct file *file) 1076 { 1077 file->f_security = NULL; 1078 } 1079 1080 /** 1081 * smack_file_ioctl - Smack check on ioctls 1082 * @file: the object 1083 * @cmd: what to do 1084 * @arg: unused 1085 * 1086 * Relies heavily on the correct use of the ioctl command conventions. 1087 * 1088 * Returns 0 if allowed, error code otherwise 1089 */ 1090 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1091 unsigned long arg) 1092 { 1093 int rc = 0; 1094 struct smk_audit_info ad; 1095 1096 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1097 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1098 1099 if (_IOC_DIR(cmd) & _IOC_WRITE) 1100 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1101 1102 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 1103 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1104 1105 return rc; 1106 } 1107 1108 /** 1109 * smack_file_lock - Smack check on file locking 1110 * @file: the object 1111 * @cmd: unused 1112 * 1113 * Returns 0 if current has write access, error code otherwise 1114 */ 1115 static int smack_file_lock(struct file *file, unsigned int cmd) 1116 { 1117 struct smk_audit_info ad; 1118 1119 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1120 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1121 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1122 } 1123 1124 /** 1125 * smack_file_fcntl - Smack check on fcntl 1126 * @file: the object 1127 * @cmd: what action to check 1128 * @arg: unused 1129 * 1130 * Generally these operations are harmless. 1131 * File locking operations present an obvious mechanism 1132 * for passing information, so they require write access. 1133 * 1134 * Returns 0 if current has access, error code otherwise 1135 */ 1136 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1137 unsigned long arg) 1138 { 1139 struct smk_audit_info ad; 1140 int rc = 0; 1141 1142 1143 switch (cmd) { 1144 case F_GETLK: 1145 case F_SETLK: 1146 case F_SETLKW: 1147 case F_SETOWN: 1148 case F_SETSIG: 1149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1150 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1151 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1152 break; 1153 default: 1154 break; 1155 } 1156 1157 return rc; 1158 } 1159 1160 /** 1161 * smack_file_mmap : 1162 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1163 * if mapping anonymous memory. 1164 * @file contains the file structure for file to map (may be NULL). 1165 * @reqprot contains the protection requested by the application. 1166 * @prot contains the protection that will be applied by the kernel. 1167 * @flags contains the operational flags. 1168 * Return 0 if permission is granted. 1169 */ 1170 static int smack_file_mmap(struct file *file, 1171 unsigned long reqprot, unsigned long prot, 1172 unsigned long flags, unsigned long addr, 1173 unsigned long addr_only) 1174 { 1175 struct smack_known *skp; 1176 struct smack_rule *srp; 1177 struct task_smack *tsp; 1178 char *sp; 1179 char *msmack; 1180 char *osmack; 1181 struct inode_smack *isp; 1182 struct dentry *dp; 1183 int may; 1184 int mmay; 1185 int tmay; 1186 int rc; 1187 1188 /* do DAC check on address space usage */ 1189 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 1190 if (rc || addr_only) 1191 return rc; 1192 1193 if (file == NULL || file->f_dentry == NULL) 1194 return 0; 1195 1196 dp = file->f_dentry; 1197 1198 if (dp->d_inode == NULL) 1199 return 0; 1200 1201 isp = dp->d_inode->i_security; 1202 if (isp->smk_mmap == NULL) 1203 return 0; 1204 msmack = isp->smk_mmap; 1205 1206 tsp = current_security(); 1207 sp = smk_of_current(); 1208 skp = smk_find_entry(sp); 1209 rc = 0; 1210 1211 rcu_read_lock(); 1212 /* 1213 * For each Smack rule associated with the subject 1214 * label verify that the SMACK64MMAP also has access 1215 * to that rule's object label. 1216 */ 1217 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1218 osmack = srp->smk_object; 1219 /* 1220 * Matching labels always allows access. 1221 */ 1222 if (msmack == osmack) 1223 continue; 1224 /* 1225 * If there is a matching local rule take 1226 * that into account as well. 1227 */ 1228 may = smk_access_entry(srp->smk_subject, osmack, 1229 &tsp->smk_rules); 1230 if (may == -ENOENT) 1231 may = srp->smk_access; 1232 else 1233 may &= srp->smk_access; 1234 /* 1235 * If may is zero the SMACK64MMAP subject can't 1236 * possibly have less access. 1237 */ 1238 if (may == 0) 1239 continue; 1240 1241 /* 1242 * Fetch the global list entry. 1243 * If there isn't one a SMACK64MMAP subject 1244 * can't have as much access as current. 1245 */ 1246 skp = smk_find_entry(msmack); 1247 mmay = smk_access_entry(msmack, osmack, &skp->smk_rules); 1248 if (mmay == -ENOENT) { 1249 rc = -EACCES; 1250 break; 1251 } 1252 /* 1253 * If there is a local entry it modifies the 1254 * potential access, too. 1255 */ 1256 tmay = smk_access_entry(msmack, osmack, &tsp->smk_rules); 1257 if (tmay != -ENOENT) 1258 mmay &= tmay; 1259 1260 /* 1261 * If there is any access available to current that is 1262 * not available to a SMACK64MMAP subject 1263 * deny access. 1264 */ 1265 if ((may | mmay) != mmay) { 1266 rc = -EACCES; 1267 break; 1268 } 1269 } 1270 1271 rcu_read_unlock(); 1272 1273 return rc; 1274 } 1275 1276 /** 1277 * smack_file_set_fowner - set the file security blob value 1278 * @file: object in question 1279 * 1280 * Returns 0 1281 * Further research may be required on this one. 1282 */ 1283 static int smack_file_set_fowner(struct file *file) 1284 { 1285 file->f_security = smk_of_current(); 1286 return 0; 1287 } 1288 1289 /** 1290 * smack_file_send_sigiotask - Smack on sigio 1291 * @tsk: The target task 1292 * @fown: the object the signal come from 1293 * @signum: unused 1294 * 1295 * Allow a privileged task to get signals even if it shouldn't 1296 * 1297 * Returns 0 if a subject with the object's smack could 1298 * write to the task, an error code otherwise. 1299 */ 1300 static int smack_file_send_sigiotask(struct task_struct *tsk, 1301 struct fown_struct *fown, int signum) 1302 { 1303 struct file *file; 1304 int rc; 1305 char *tsp = smk_of_task(tsk->cred->security); 1306 struct smk_audit_info ad; 1307 1308 /* 1309 * struct fown_struct is never outside the context of a struct file 1310 */ 1311 file = container_of(fown, struct file, f_owner); 1312 1313 /* we don't log here as rc can be overriden */ 1314 rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL); 1315 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1316 rc = 0; 1317 1318 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1319 smk_ad_setfield_u_tsk(&ad, tsk); 1320 smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad); 1321 return rc; 1322 } 1323 1324 /** 1325 * smack_file_receive - Smack file receive check 1326 * @file: the object 1327 * 1328 * Returns 0 if current has access, error code otherwise 1329 */ 1330 static int smack_file_receive(struct file *file) 1331 { 1332 int may = 0; 1333 struct smk_audit_info ad; 1334 1335 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1336 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1337 /* 1338 * This code relies on bitmasks. 1339 */ 1340 if (file->f_mode & FMODE_READ) 1341 may = MAY_READ; 1342 if (file->f_mode & FMODE_WRITE) 1343 may |= MAY_WRITE; 1344 1345 return smk_curacc(file->f_security, may, &ad); 1346 } 1347 1348 /** 1349 * smack_dentry_open - Smack dentry open processing 1350 * @file: the object 1351 * @cred: unused 1352 * 1353 * Set the security blob in the file structure. 1354 * 1355 * Returns 0 1356 */ 1357 static int smack_dentry_open(struct file *file, const struct cred *cred) 1358 { 1359 struct inode_smack *isp = file->f_path.dentry->d_inode->i_security; 1360 1361 file->f_security = isp->smk_inode; 1362 1363 return 0; 1364 } 1365 1366 /* 1367 * Task hooks 1368 */ 1369 1370 /** 1371 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1372 * @new: the new credentials 1373 * @gfp: the atomicity of any memory allocations 1374 * 1375 * Prepare a blank set of credentials for modification. This must allocate all 1376 * the memory the LSM module might require such that cred_transfer() can 1377 * complete without error. 1378 */ 1379 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1380 { 1381 struct task_smack *tsp; 1382 1383 tsp = new_task_smack(NULL, NULL, gfp); 1384 if (tsp == NULL) 1385 return -ENOMEM; 1386 1387 cred->security = tsp; 1388 1389 return 0; 1390 } 1391 1392 1393 /** 1394 * smack_cred_free - "free" task-level security credentials 1395 * @cred: the credentials in question 1396 * 1397 */ 1398 static void smack_cred_free(struct cred *cred) 1399 { 1400 struct task_smack *tsp = cred->security; 1401 struct smack_rule *rp; 1402 struct list_head *l; 1403 struct list_head *n; 1404 1405 if (tsp == NULL) 1406 return; 1407 cred->security = NULL; 1408 1409 list_for_each_safe(l, n, &tsp->smk_rules) { 1410 rp = list_entry(l, struct smack_rule, list); 1411 list_del(&rp->list); 1412 kfree(rp); 1413 } 1414 kfree(tsp); 1415 } 1416 1417 /** 1418 * smack_cred_prepare - prepare new set of credentials for modification 1419 * @new: the new credentials 1420 * @old: the original credentials 1421 * @gfp: the atomicity of any memory allocations 1422 * 1423 * Prepare a new set of credentials for modification. 1424 */ 1425 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1426 gfp_t gfp) 1427 { 1428 struct task_smack *old_tsp = old->security; 1429 struct task_smack *new_tsp; 1430 int rc; 1431 1432 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1433 if (new_tsp == NULL) 1434 return -ENOMEM; 1435 1436 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1437 if (rc != 0) 1438 return rc; 1439 1440 new->security = new_tsp; 1441 return 0; 1442 } 1443 1444 /** 1445 * smack_cred_transfer - Transfer the old credentials to the new credentials 1446 * @new: the new credentials 1447 * @old: the original credentials 1448 * 1449 * Fill in a set of blank credentials from another set of credentials. 1450 */ 1451 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1452 { 1453 struct task_smack *old_tsp = old->security; 1454 struct task_smack *new_tsp = new->security; 1455 1456 new_tsp->smk_task = old_tsp->smk_task; 1457 new_tsp->smk_forked = old_tsp->smk_task; 1458 mutex_init(&new_tsp->smk_rules_lock); 1459 INIT_LIST_HEAD(&new_tsp->smk_rules); 1460 1461 1462 /* cbs copy rule list */ 1463 } 1464 1465 /** 1466 * smack_kernel_act_as - Set the subjective context in a set of credentials 1467 * @new: points to the set of credentials to be modified. 1468 * @secid: specifies the security ID to be set 1469 * 1470 * Set the security data for a kernel service. 1471 */ 1472 static int smack_kernel_act_as(struct cred *new, u32 secid) 1473 { 1474 struct task_smack *new_tsp = new->security; 1475 char *smack = smack_from_secid(secid); 1476 1477 if (smack == NULL) 1478 return -EINVAL; 1479 1480 new_tsp->smk_task = smack; 1481 return 0; 1482 } 1483 1484 /** 1485 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1486 * @new: points to the set of credentials to be modified 1487 * @inode: points to the inode to use as a reference 1488 * 1489 * Set the file creation context in a set of credentials to the same 1490 * as the objective context of the specified inode 1491 */ 1492 static int smack_kernel_create_files_as(struct cred *new, 1493 struct inode *inode) 1494 { 1495 struct inode_smack *isp = inode->i_security; 1496 struct task_smack *tsp = new->security; 1497 1498 tsp->smk_forked = isp->smk_inode; 1499 tsp->smk_task = isp->smk_inode; 1500 return 0; 1501 } 1502 1503 /** 1504 * smk_curacc_on_task - helper to log task related access 1505 * @p: the task object 1506 * @access: the access requested 1507 * @caller: name of the calling function for audit 1508 * 1509 * Return 0 if access is permitted 1510 */ 1511 static int smk_curacc_on_task(struct task_struct *p, int access, 1512 const char *caller) 1513 { 1514 struct smk_audit_info ad; 1515 1516 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 1517 smk_ad_setfield_u_tsk(&ad, p); 1518 return smk_curacc(smk_of_task(task_security(p)), access, &ad); 1519 } 1520 1521 /** 1522 * smack_task_setpgid - Smack check on setting pgid 1523 * @p: the task object 1524 * @pgid: unused 1525 * 1526 * Return 0 if write access is permitted 1527 */ 1528 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1529 { 1530 return smk_curacc_on_task(p, MAY_WRITE, __func__); 1531 } 1532 1533 /** 1534 * smack_task_getpgid - Smack access check for getpgid 1535 * @p: the object task 1536 * 1537 * Returns 0 if current can read the object task, error code otherwise 1538 */ 1539 static int smack_task_getpgid(struct task_struct *p) 1540 { 1541 return smk_curacc_on_task(p, MAY_READ, __func__); 1542 } 1543 1544 /** 1545 * smack_task_getsid - Smack access check for getsid 1546 * @p: the object task 1547 * 1548 * Returns 0 if current can read the object task, error code otherwise 1549 */ 1550 static int smack_task_getsid(struct task_struct *p) 1551 { 1552 return smk_curacc_on_task(p, MAY_READ, __func__); 1553 } 1554 1555 /** 1556 * smack_task_getsecid - get the secid of the task 1557 * @p: the object task 1558 * @secid: where to put the result 1559 * 1560 * Sets the secid to contain a u32 version of the smack label. 1561 */ 1562 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1563 { 1564 *secid = smack_to_secid(smk_of_task(task_security(p))); 1565 } 1566 1567 /** 1568 * smack_task_setnice - Smack check on setting nice 1569 * @p: the task object 1570 * @nice: unused 1571 * 1572 * Return 0 if write access is permitted 1573 */ 1574 static int smack_task_setnice(struct task_struct *p, int nice) 1575 { 1576 int rc; 1577 1578 rc = cap_task_setnice(p, nice); 1579 if (rc == 0) 1580 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1581 return rc; 1582 } 1583 1584 /** 1585 * smack_task_setioprio - Smack check on setting ioprio 1586 * @p: the task object 1587 * @ioprio: unused 1588 * 1589 * Return 0 if write access is permitted 1590 */ 1591 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1592 { 1593 int rc; 1594 1595 rc = cap_task_setioprio(p, ioprio); 1596 if (rc == 0) 1597 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1598 return rc; 1599 } 1600 1601 /** 1602 * smack_task_getioprio - Smack check on reading ioprio 1603 * @p: the task object 1604 * 1605 * Return 0 if read access is permitted 1606 */ 1607 static int smack_task_getioprio(struct task_struct *p) 1608 { 1609 return smk_curacc_on_task(p, MAY_READ, __func__); 1610 } 1611 1612 /** 1613 * smack_task_setscheduler - Smack check on setting scheduler 1614 * @p: the task object 1615 * @policy: unused 1616 * @lp: unused 1617 * 1618 * Return 0 if read access is permitted 1619 */ 1620 static int smack_task_setscheduler(struct task_struct *p) 1621 { 1622 int rc; 1623 1624 rc = cap_task_setscheduler(p); 1625 if (rc == 0) 1626 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1627 return rc; 1628 } 1629 1630 /** 1631 * smack_task_getscheduler - Smack check on reading scheduler 1632 * @p: the task object 1633 * 1634 * Return 0 if read access is permitted 1635 */ 1636 static int smack_task_getscheduler(struct task_struct *p) 1637 { 1638 return smk_curacc_on_task(p, MAY_READ, __func__); 1639 } 1640 1641 /** 1642 * smack_task_movememory - Smack check on moving memory 1643 * @p: the task object 1644 * 1645 * Return 0 if write access is permitted 1646 */ 1647 static int smack_task_movememory(struct task_struct *p) 1648 { 1649 return smk_curacc_on_task(p, MAY_WRITE, __func__); 1650 } 1651 1652 /** 1653 * smack_task_kill - Smack check on signal delivery 1654 * @p: the task object 1655 * @info: unused 1656 * @sig: unused 1657 * @secid: identifies the smack to use in lieu of current's 1658 * 1659 * Return 0 if write access is permitted 1660 * 1661 * The secid behavior is an artifact of an SELinux hack 1662 * in the USB code. Someday it may go away. 1663 */ 1664 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1665 int sig, u32 secid) 1666 { 1667 struct smk_audit_info ad; 1668 1669 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1670 smk_ad_setfield_u_tsk(&ad, p); 1671 /* 1672 * Sending a signal requires that the sender 1673 * can write the receiver. 1674 */ 1675 if (secid == 0) 1676 return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE, 1677 &ad); 1678 /* 1679 * If the secid isn't 0 we're dealing with some USB IO 1680 * specific behavior. This is not clean. For one thing 1681 * we can't take privilege into account. 1682 */ 1683 return smk_access(smack_from_secid(secid), 1684 smk_of_task(task_security(p)), MAY_WRITE, &ad); 1685 } 1686 1687 /** 1688 * smack_task_wait - Smack access check for waiting 1689 * @p: task to wait for 1690 * 1691 * Returns 0 if current can wait for p, error code otherwise 1692 */ 1693 static int smack_task_wait(struct task_struct *p) 1694 { 1695 struct smk_audit_info ad; 1696 char *sp = smk_of_current(); 1697 char *tsp = smk_of_forked(task_security(p)); 1698 int rc; 1699 1700 /* we don't log here, we can be overriden */ 1701 rc = smk_access(tsp, sp, MAY_WRITE, NULL); 1702 if (rc == 0) 1703 goto out_log; 1704 1705 /* 1706 * Allow the operation to succeed if either task 1707 * has privilege to perform operations that might 1708 * account for the smack labels having gotten to 1709 * be different in the first place. 1710 * 1711 * This breaks the strict subject/object access 1712 * control ideal, taking the object's privilege 1713 * state into account in the decision as well as 1714 * the smack value. 1715 */ 1716 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1717 rc = 0; 1718 /* we log only if we didn't get overriden */ 1719 out_log: 1720 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1721 smk_ad_setfield_u_tsk(&ad, p); 1722 smack_log(tsp, sp, MAY_WRITE, rc, &ad); 1723 return rc; 1724 } 1725 1726 /** 1727 * smack_task_to_inode - copy task smack into the inode blob 1728 * @p: task to copy from 1729 * @inode: inode to copy to 1730 * 1731 * Sets the smack pointer in the inode security blob 1732 */ 1733 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1734 { 1735 struct inode_smack *isp = inode->i_security; 1736 isp->smk_inode = smk_of_task(task_security(p)); 1737 } 1738 1739 /* 1740 * Socket hooks. 1741 */ 1742 1743 /** 1744 * smack_sk_alloc_security - Allocate a socket blob 1745 * @sk: the socket 1746 * @family: unused 1747 * @gfp_flags: memory allocation flags 1748 * 1749 * Assign Smack pointers to current 1750 * 1751 * Returns 0 on success, -ENOMEM is there's no memory 1752 */ 1753 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1754 { 1755 char *csp = smk_of_current(); 1756 struct socket_smack *ssp; 1757 1758 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1759 if (ssp == NULL) 1760 return -ENOMEM; 1761 1762 ssp->smk_in = csp; 1763 ssp->smk_out = csp; 1764 ssp->smk_packet = NULL; 1765 1766 sk->sk_security = ssp; 1767 1768 return 0; 1769 } 1770 1771 /** 1772 * smack_sk_free_security - Free a socket blob 1773 * @sk: the socket 1774 * 1775 * Clears the blob pointer 1776 */ 1777 static void smack_sk_free_security(struct sock *sk) 1778 { 1779 kfree(sk->sk_security); 1780 } 1781 1782 /** 1783 * smack_host_label - check host based restrictions 1784 * @sip: the object end 1785 * 1786 * looks for host based access restrictions 1787 * 1788 * This version will only be appropriate for really small sets of single label 1789 * hosts. The caller is responsible for ensuring that the RCU read lock is 1790 * taken before calling this function. 1791 * 1792 * Returns the label of the far end or NULL if it's not special. 1793 */ 1794 static char *smack_host_label(struct sockaddr_in *sip) 1795 { 1796 struct smk_netlbladdr *snp; 1797 struct in_addr *siap = &sip->sin_addr; 1798 1799 if (siap->s_addr == 0) 1800 return NULL; 1801 1802 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) 1803 /* 1804 * we break after finding the first match because 1805 * the list is sorted from longest to shortest mask 1806 * so we have found the most specific match 1807 */ 1808 if ((&snp->smk_host.sin_addr)->s_addr == 1809 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1810 /* we have found the special CIPSO option */ 1811 if (snp->smk_label == smack_cipso_option) 1812 return NULL; 1813 return snp->smk_label; 1814 } 1815 1816 return NULL; 1817 } 1818 1819 /** 1820 * smack_set_catset - convert a capset to netlabel mls categories 1821 * @catset: the Smack categories 1822 * @sap: where to put the netlabel categories 1823 * 1824 * Allocates and fills attr.mls.cat 1825 */ 1826 static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) 1827 { 1828 unsigned char *cp; 1829 unsigned char m; 1830 int cat; 1831 int rc; 1832 int byte; 1833 1834 if (!catset) 1835 return; 1836 1837 sap->flags |= NETLBL_SECATTR_MLS_CAT; 1838 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 1839 sap->attr.mls.cat->startbit = 0; 1840 1841 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++) 1842 for (m = 0x80; m != 0; m >>= 1, cat++) { 1843 if ((m & *cp) == 0) 1844 continue; 1845 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 1846 cat, GFP_ATOMIC); 1847 } 1848 } 1849 1850 /** 1851 * smack_to_secattr - fill a secattr from a smack value 1852 * @smack: the smack value 1853 * @nlsp: where the result goes 1854 * 1855 * Casey says that CIPSO is good enough for now. 1856 * It can be used to effect. 1857 * It can also be abused to effect when necessary. 1858 * Apologies to the TSIG group in general and GW in particular. 1859 */ 1860 static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1861 { 1862 struct smack_cipso cipso; 1863 int rc; 1864 1865 nlsp->domain = smack; 1866 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 1867 1868 rc = smack_to_cipso(smack, &cipso); 1869 if (rc == 0) { 1870 nlsp->attr.mls.lvl = cipso.smk_level; 1871 smack_set_catset(cipso.smk_catset, nlsp); 1872 } else { 1873 nlsp->attr.mls.lvl = smack_cipso_direct; 1874 smack_set_catset(smack, nlsp); 1875 } 1876 } 1877 1878 /** 1879 * smack_netlabel - Set the secattr on a socket 1880 * @sk: the socket 1881 * @labeled: socket label scheme 1882 * 1883 * Convert the outbound smack value (smk_out) to a 1884 * secattr and attach it to the socket. 1885 * 1886 * Returns 0 on success or an error code 1887 */ 1888 static int smack_netlabel(struct sock *sk, int labeled) 1889 { 1890 struct socket_smack *ssp = sk->sk_security; 1891 struct netlbl_lsm_secattr secattr; 1892 int rc = 0; 1893 1894 /* 1895 * Usually the netlabel code will handle changing the 1896 * packet labeling based on the label. 1897 * The case of a single label host is different, because 1898 * a single label host should never get a labeled packet 1899 * even though the label is usually associated with a packet 1900 * label. 1901 */ 1902 local_bh_disable(); 1903 bh_lock_sock_nested(sk); 1904 1905 if (ssp->smk_out == smack_net_ambient || 1906 labeled == SMACK_UNLABELED_SOCKET) 1907 netlbl_sock_delattr(sk); 1908 else { 1909 netlbl_secattr_init(&secattr); 1910 smack_to_secattr(ssp->smk_out, &secattr); 1911 rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); 1912 netlbl_secattr_destroy(&secattr); 1913 } 1914 1915 bh_unlock_sock(sk); 1916 local_bh_enable(); 1917 1918 return rc; 1919 } 1920 1921 /** 1922 * smack_netlbel_send - Set the secattr on a socket and perform access checks 1923 * @sk: the socket 1924 * @sap: the destination address 1925 * 1926 * Set the correct secattr for the given socket based on the destination 1927 * address and perform any outbound access checks needed. 1928 * 1929 * Returns 0 on success or an error code. 1930 * 1931 */ 1932 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 1933 { 1934 int rc; 1935 int sk_lbl; 1936 char *hostsp; 1937 struct socket_smack *ssp = sk->sk_security; 1938 struct smk_audit_info ad; 1939 1940 rcu_read_lock(); 1941 hostsp = smack_host_label(sap); 1942 if (hostsp != NULL) { 1943 sk_lbl = SMACK_UNLABELED_SOCKET; 1944 #ifdef CONFIG_AUDIT 1945 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 1946 ad.a.u.net.family = sap->sin_family; 1947 ad.a.u.net.dport = sap->sin_port; 1948 ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr; 1949 #endif 1950 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad); 1951 } else { 1952 sk_lbl = SMACK_CIPSO_SOCKET; 1953 rc = 0; 1954 } 1955 rcu_read_unlock(); 1956 if (rc != 0) 1957 return rc; 1958 1959 return smack_netlabel(sk, sk_lbl); 1960 } 1961 1962 /** 1963 * smack_inode_setsecurity - set smack xattrs 1964 * @inode: the object 1965 * @name: attribute name 1966 * @value: attribute value 1967 * @size: size of the attribute 1968 * @flags: unused 1969 * 1970 * Sets the named attribute in the appropriate blob 1971 * 1972 * Returns 0 on success, or an error code 1973 */ 1974 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1975 const void *value, size_t size, int flags) 1976 { 1977 char *sp; 1978 struct inode_smack *nsp = inode->i_security; 1979 struct socket_smack *ssp; 1980 struct socket *sock; 1981 int rc = 0; 1982 1983 if (value == NULL || size > SMK_LABELLEN || size == 0) 1984 return -EACCES; 1985 1986 sp = smk_import(value, size); 1987 if (sp == NULL) 1988 return -EINVAL; 1989 1990 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1991 nsp->smk_inode = sp; 1992 nsp->smk_flags |= SMK_INODE_INSTANT; 1993 return 0; 1994 } 1995 /* 1996 * The rest of the Smack xattrs are only on sockets. 1997 */ 1998 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1999 return -EOPNOTSUPP; 2000 2001 sock = SOCKET_I(inode); 2002 if (sock == NULL || sock->sk == NULL) 2003 return -EOPNOTSUPP; 2004 2005 ssp = sock->sk->sk_security; 2006 2007 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2008 ssp->smk_in = sp; 2009 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2010 ssp->smk_out = sp; 2011 if (sock->sk->sk_family != PF_UNIX) { 2012 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2013 if (rc != 0) 2014 printk(KERN_WARNING 2015 "Smack: \"%s\" netlbl error %d.\n", 2016 __func__, -rc); 2017 } 2018 } else 2019 return -EOPNOTSUPP; 2020 2021 return 0; 2022 } 2023 2024 /** 2025 * smack_socket_post_create - finish socket setup 2026 * @sock: the socket 2027 * @family: protocol family 2028 * @type: unused 2029 * @protocol: unused 2030 * @kern: unused 2031 * 2032 * Sets the netlabel information on the socket 2033 * 2034 * Returns 0 on success, and error code otherwise 2035 */ 2036 static int smack_socket_post_create(struct socket *sock, int family, 2037 int type, int protocol, int kern) 2038 { 2039 if (family != PF_INET || sock->sk == NULL) 2040 return 0; 2041 /* 2042 * Set the outbound netlbl. 2043 */ 2044 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2045 } 2046 2047 /** 2048 * smack_socket_connect - connect access check 2049 * @sock: the socket 2050 * @sap: the other end 2051 * @addrlen: size of sap 2052 * 2053 * Verifies that a connection may be possible 2054 * 2055 * Returns 0 on success, and error code otherwise 2056 */ 2057 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2058 int addrlen) 2059 { 2060 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 2061 return 0; 2062 if (addrlen < sizeof(struct sockaddr_in)) 2063 return -EINVAL; 2064 2065 return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2066 } 2067 2068 /** 2069 * smack_flags_to_may - convert S_ to MAY_ values 2070 * @flags: the S_ value 2071 * 2072 * Returns the equivalent MAY_ value 2073 */ 2074 static int smack_flags_to_may(int flags) 2075 { 2076 int may = 0; 2077 2078 if (flags & S_IRUGO) 2079 may |= MAY_READ; 2080 if (flags & S_IWUGO) 2081 may |= MAY_WRITE; 2082 if (flags & S_IXUGO) 2083 may |= MAY_EXEC; 2084 2085 return may; 2086 } 2087 2088 /** 2089 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2090 * @msg: the object 2091 * 2092 * Returns 0 2093 */ 2094 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2095 { 2096 msg->security = smk_of_current(); 2097 return 0; 2098 } 2099 2100 /** 2101 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2102 * @msg: the object 2103 * 2104 * Clears the blob pointer 2105 */ 2106 static void smack_msg_msg_free_security(struct msg_msg *msg) 2107 { 2108 msg->security = NULL; 2109 } 2110 2111 /** 2112 * smack_of_shm - the smack pointer for the shm 2113 * @shp: the object 2114 * 2115 * Returns a pointer to the smack value 2116 */ 2117 static char *smack_of_shm(struct shmid_kernel *shp) 2118 { 2119 return (char *)shp->shm_perm.security; 2120 } 2121 2122 /** 2123 * smack_shm_alloc_security - Set the security blob for shm 2124 * @shp: the object 2125 * 2126 * Returns 0 2127 */ 2128 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2129 { 2130 struct kern_ipc_perm *isp = &shp->shm_perm; 2131 2132 isp->security = smk_of_current(); 2133 return 0; 2134 } 2135 2136 /** 2137 * smack_shm_free_security - Clear the security blob for shm 2138 * @shp: the object 2139 * 2140 * Clears the blob pointer 2141 */ 2142 static void smack_shm_free_security(struct shmid_kernel *shp) 2143 { 2144 struct kern_ipc_perm *isp = &shp->shm_perm; 2145 2146 isp->security = NULL; 2147 } 2148 2149 /** 2150 * smk_curacc_shm : check if current has access on shm 2151 * @shp : the object 2152 * @access : access requested 2153 * 2154 * Returns 0 if current has the requested access, error code otherwise 2155 */ 2156 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2157 { 2158 char *ssp = smack_of_shm(shp); 2159 struct smk_audit_info ad; 2160 2161 #ifdef CONFIG_AUDIT 2162 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2163 ad.a.u.ipc_id = shp->shm_perm.id; 2164 #endif 2165 return smk_curacc(ssp, access, &ad); 2166 } 2167 2168 /** 2169 * smack_shm_associate - Smack access check for shm 2170 * @shp: the object 2171 * @shmflg: access requested 2172 * 2173 * Returns 0 if current has the requested access, error code otherwise 2174 */ 2175 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2176 { 2177 int may; 2178 2179 may = smack_flags_to_may(shmflg); 2180 return smk_curacc_shm(shp, may); 2181 } 2182 2183 /** 2184 * smack_shm_shmctl - Smack access check for shm 2185 * @shp: the object 2186 * @cmd: what it wants to do 2187 * 2188 * Returns 0 if current has the requested access, error code otherwise 2189 */ 2190 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2191 { 2192 int may; 2193 2194 switch (cmd) { 2195 case IPC_STAT: 2196 case SHM_STAT: 2197 may = MAY_READ; 2198 break; 2199 case IPC_SET: 2200 case SHM_LOCK: 2201 case SHM_UNLOCK: 2202 case IPC_RMID: 2203 may = MAY_READWRITE; 2204 break; 2205 case IPC_INFO: 2206 case SHM_INFO: 2207 /* 2208 * System level information. 2209 */ 2210 return 0; 2211 default: 2212 return -EINVAL; 2213 } 2214 return smk_curacc_shm(shp, may); 2215 } 2216 2217 /** 2218 * smack_shm_shmat - Smack access for shmat 2219 * @shp: the object 2220 * @shmaddr: unused 2221 * @shmflg: access requested 2222 * 2223 * Returns 0 if current has the requested access, error code otherwise 2224 */ 2225 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 2226 int shmflg) 2227 { 2228 int may; 2229 2230 may = smack_flags_to_may(shmflg); 2231 return smk_curacc_shm(shp, may); 2232 } 2233 2234 /** 2235 * smack_of_sem - the smack pointer for the sem 2236 * @sma: the object 2237 * 2238 * Returns a pointer to the smack value 2239 */ 2240 static char *smack_of_sem(struct sem_array *sma) 2241 { 2242 return (char *)sma->sem_perm.security; 2243 } 2244 2245 /** 2246 * smack_sem_alloc_security - Set the security blob for sem 2247 * @sma: the object 2248 * 2249 * Returns 0 2250 */ 2251 static int smack_sem_alloc_security(struct sem_array *sma) 2252 { 2253 struct kern_ipc_perm *isp = &sma->sem_perm; 2254 2255 isp->security = smk_of_current(); 2256 return 0; 2257 } 2258 2259 /** 2260 * smack_sem_free_security - Clear the security blob for sem 2261 * @sma: the object 2262 * 2263 * Clears the blob pointer 2264 */ 2265 static void smack_sem_free_security(struct sem_array *sma) 2266 { 2267 struct kern_ipc_perm *isp = &sma->sem_perm; 2268 2269 isp->security = NULL; 2270 } 2271 2272 /** 2273 * smk_curacc_sem : check if current has access on sem 2274 * @sma : the object 2275 * @access : access requested 2276 * 2277 * Returns 0 if current has the requested access, error code otherwise 2278 */ 2279 static int smk_curacc_sem(struct sem_array *sma, int access) 2280 { 2281 char *ssp = smack_of_sem(sma); 2282 struct smk_audit_info ad; 2283 2284 #ifdef CONFIG_AUDIT 2285 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2286 ad.a.u.ipc_id = sma->sem_perm.id; 2287 #endif 2288 return smk_curacc(ssp, access, &ad); 2289 } 2290 2291 /** 2292 * smack_sem_associate - Smack access check for sem 2293 * @sma: the object 2294 * @semflg: access requested 2295 * 2296 * Returns 0 if current has the requested access, error code otherwise 2297 */ 2298 static int smack_sem_associate(struct sem_array *sma, int semflg) 2299 { 2300 int may; 2301 2302 may = smack_flags_to_may(semflg); 2303 return smk_curacc_sem(sma, may); 2304 } 2305 2306 /** 2307 * smack_sem_shmctl - Smack access check for sem 2308 * @sma: the object 2309 * @cmd: what it wants to do 2310 * 2311 * Returns 0 if current has the requested access, error code otherwise 2312 */ 2313 static int smack_sem_semctl(struct sem_array *sma, int cmd) 2314 { 2315 int may; 2316 2317 switch (cmd) { 2318 case GETPID: 2319 case GETNCNT: 2320 case GETZCNT: 2321 case GETVAL: 2322 case GETALL: 2323 case IPC_STAT: 2324 case SEM_STAT: 2325 may = MAY_READ; 2326 break; 2327 case SETVAL: 2328 case SETALL: 2329 case IPC_RMID: 2330 case IPC_SET: 2331 may = MAY_READWRITE; 2332 break; 2333 case IPC_INFO: 2334 case SEM_INFO: 2335 /* 2336 * System level information 2337 */ 2338 return 0; 2339 default: 2340 return -EINVAL; 2341 } 2342 2343 return smk_curacc_sem(sma, may); 2344 } 2345 2346 /** 2347 * smack_sem_semop - Smack checks of semaphore operations 2348 * @sma: the object 2349 * @sops: unused 2350 * @nsops: unused 2351 * @alter: unused 2352 * 2353 * Treated as read and write in all cases. 2354 * 2355 * Returns 0 if access is allowed, error code otherwise 2356 */ 2357 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 2358 unsigned nsops, int alter) 2359 { 2360 return smk_curacc_sem(sma, MAY_READWRITE); 2361 } 2362 2363 /** 2364 * smack_msg_alloc_security - Set the security blob for msg 2365 * @msq: the object 2366 * 2367 * Returns 0 2368 */ 2369 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 2370 { 2371 struct kern_ipc_perm *kisp = &msq->q_perm; 2372 2373 kisp->security = smk_of_current(); 2374 return 0; 2375 } 2376 2377 /** 2378 * smack_msg_free_security - Clear the security blob for msg 2379 * @msq: the object 2380 * 2381 * Clears the blob pointer 2382 */ 2383 static void smack_msg_queue_free_security(struct msg_queue *msq) 2384 { 2385 struct kern_ipc_perm *kisp = &msq->q_perm; 2386 2387 kisp->security = NULL; 2388 } 2389 2390 /** 2391 * smack_of_msq - the smack pointer for the msq 2392 * @msq: the object 2393 * 2394 * Returns a pointer to the smack value 2395 */ 2396 static char *smack_of_msq(struct msg_queue *msq) 2397 { 2398 return (char *)msq->q_perm.security; 2399 } 2400 2401 /** 2402 * smk_curacc_msq : helper to check if current has access on msq 2403 * @msq : the msq 2404 * @access : access requested 2405 * 2406 * return 0 if current has access, error otherwise 2407 */ 2408 static int smk_curacc_msq(struct msg_queue *msq, int access) 2409 { 2410 char *msp = smack_of_msq(msq); 2411 struct smk_audit_info ad; 2412 2413 #ifdef CONFIG_AUDIT 2414 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2415 ad.a.u.ipc_id = msq->q_perm.id; 2416 #endif 2417 return smk_curacc(msp, access, &ad); 2418 } 2419 2420 /** 2421 * smack_msg_queue_associate - Smack access check for msg_queue 2422 * @msq: the object 2423 * @msqflg: access requested 2424 * 2425 * Returns 0 if current has the requested access, error code otherwise 2426 */ 2427 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 2428 { 2429 int may; 2430 2431 may = smack_flags_to_may(msqflg); 2432 return smk_curacc_msq(msq, may); 2433 } 2434 2435 /** 2436 * smack_msg_queue_msgctl - Smack access check for msg_queue 2437 * @msq: the object 2438 * @cmd: what it wants to do 2439 * 2440 * Returns 0 if current has the requested access, error code otherwise 2441 */ 2442 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 2443 { 2444 int may; 2445 2446 switch (cmd) { 2447 case IPC_STAT: 2448 case MSG_STAT: 2449 may = MAY_READ; 2450 break; 2451 case IPC_SET: 2452 case IPC_RMID: 2453 may = MAY_READWRITE; 2454 break; 2455 case IPC_INFO: 2456 case MSG_INFO: 2457 /* 2458 * System level information 2459 */ 2460 return 0; 2461 default: 2462 return -EINVAL; 2463 } 2464 2465 return smk_curacc_msq(msq, may); 2466 } 2467 2468 /** 2469 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2470 * @msq: the object 2471 * @msg: unused 2472 * @msqflg: access requested 2473 * 2474 * Returns 0 if current has the requested access, error code otherwise 2475 */ 2476 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 2477 int msqflg) 2478 { 2479 int may; 2480 2481 may = smack_flags_to_may(msqflg); 2482 return smk_curacc_msq(msq, may); 2483 } 2484 2485 /** 2486 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2487 * @msq: the object 2488 * @msg: unused 2489 * @target: unused 2490 * @type: unused 2491 * @mode: unused 2492 * 2493 * Returns 0 if current has read and write access, error code otherwise 2494 */ 2495 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 2496 struct task_struct *target, long type, int mode) 2497 { 2498 return smk_curacc_msq(msq, MAY_READWRITE); 2499 } 2500 2501 /** 2502 * smack_ipc_permission - Smack access for ipc_permission() 2503 * @ipp: the object permissions 2504 * @flag: access requested 2505 * 2506 * Returns 0 if current has read and write access, error code otherwise 2507 */ 2508 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2509 { 2510 char *isp = ipp->security; 2511 int may = smack_flags_to_may(flag); 2512 struct smk_audit_info ad; 2513 2514 #ifdef CONFIG_AUDIT 2515 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2516 ad.a.u.ipc_id = ipp->id; 2517 #endif 2518 return smk_curacc(isp, may, &ad); 2519 } 2520 2521 /** 2522 * smack_ipc_getsecid - Extract smack security id 2523 * @ipp: the object permissions 2524 * @secid: where result will be saved 2525 */ 2526 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 2527 { 2528 char *smack = ipp->security; 2529 2530 *secid = smack_to_secid(smack); 2531 } 2532 2533 /** 2534 * smack_d_instantiate - Make sure the blob is correct on an inode 2535 * @opt_dentry: dentry where inode will be attached 2536 * @inode: the object 2537 * 2538 * Set the inode's security blob if it hasn't been done already. 2539 */ 2540 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 2541 { 2542 struct super_block *sbp; 2543 struct superblock_smack *sbsp; 2544 struct inode_smack *isp; 2545 char *csp = smk_of_current(); 2546 char *fetched; 2547 char *final; 2548 char trattr[TRANS_TRUE_SIZE]; 2549 int transflag = 0; 2550 struct dentry *dp; 2551 2552 if (inode == NULL) 2553 return; 2554 2555 isp = inode->i_security; 2556 2557 mutex_lock(&isp->smk_lock); 2558 /* 2559 * If the inode is already instantiated 2560 * take the quick way out 2561 */ 2562 if (isp->smk_flags & SMK_INODE_INSTANT) 2563 goto unlockandout; 2564 2565 sbp = inode->i_sb; 2566 sbsp = sbp->s_security; 2567 /* 2568 * We're going to use the superblock default label 2569 * if there's no label on the file. 2570 */ 2571 final = sbsp->smk_default; 2572 2573 /* 2574 * If this is the root inode the superblock 2575 * may be in the process of initialization. 2576 * If that is the case use the root value out 2577 * of the superblock. 2578 */ 2579 if (opt_dentry->d_parent == opt_dentry) { 2580 isp->smk_inode = sbsp->smk_root; 2581 isp->smk_flags |= SMK_INODE_INSTANT; 2582 goto unlockandout; 2583 } 2584 2585 /* 2586 * This is pretty hackish. 2587 * Casey says that we shouldn't have to do 2588 * file system specific code, but it does help 2589 * with keeping it simple. 2590 */ 2591 switch (sbp->s_magic) { 2592 case SMACK_MAGIC: 2593 /* 2594 * Casey says that it's a little embarrassing 2595 * that the smack file system doesn't do 2596 * extended attributes. 2597 */ 2598 final = smack_known_star.smk_known; 2599 break; 2600 case PIPEFS_MAGIC: 2601 /* 2602 * Casey says pipes are easy (?) 2603 */ 2604 final = smack_known_star.smk_known; 2605 break; 2606 case DEVPTS_SUPER_MAGIC: 2607 /* 2608 * devpts seems content with the label of the task. 2609 * Programs that change smack have to treat the 2610 * pty with respect. 2611 */ 2612 final = csp; 2613 break; 2614 case SOCKFS_MAGIC: 2615 /* 2616 * Socket access is controlled by the socket 2617 * structures associated with the task involved. 2618 */ 2619 final = smack_known_star.smk_known; 2620 break; 2621 case PROC_SUPER_MAGIC: 2622 /* 2623 * Casey says procfs appears not to care. 2624 * The superblock default suffices. 2625 */ 2626 break; 2627 case TMPFS_MAGIC: 2628 /* 2629 * Device labels should come from the filesystem, 2630 * but watch out, because they're volitile, 2631 * getting recreated on every reboot. 2632 */ 2633 final = smack_known_star.smk_known; 2634 /* 2635 * No break. 2636 * 2637 * If a smack value has been set we want to use it, 2638 * but since tmpfs isn't giving us the opportunity 2639 * to set mount options simulate setting the 2640 * superblock default. 2641 */ 2642 default: 2643 /* 2644 * This isn't an understood special case. 2645 * Get the value from the xattr. 2646 */ 2647 2648 /* 2649 * UNIX domain sockets use lower level socket data. 2650 */ 2651 if (S_ISSOCK(inode->i_mode)) { 2652 final = smack_known_star.smk_known; 2653 break; 2654 } 2655 /* 2656 * No xattr support means, alas, no SMACK label. 2657 * Use the aforeapplied default. 2658 * It would be curious if the label of the task 2659 * does not match that assigned. 2660 */ 2661 if (inode->i_op->getxattr == NULL) 2662 break; 2663 /* 2664 * Get the dentry for xattr. 2665 */ 2666 dp = dget(opt_dentry); 2667 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp); 2668 if (fetched != NULL) { 2669 final = fetched; 2670 if (S_ISDIR(inode->i_mode)) { 2671 trattr[0] = '\0'; 2672 inode->i_op->getxattr(dp, 2673 XATTR_NAME_SMACKTRANSMUTE, 2674 trattr, TRANS_TRUE_SIZE); 2675 if (strncmp(trattr, TRANS_TRUE, 2676 TRANS_TRUE_SIZE) == 0) 2677 transflag = SMK_INODE_TRANSMUTE; 2678 } 2679 } 2680 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2681 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 2682 2683 dput(dp); 2684 break; 2685 } 2686 2687 if (final == NULL) 2688 isp->smk_inode = csp; 2689 else 2690 isp->smk_inode = final; 2691 2692 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 2693 2694 unlockandout: 2695 mutex_unlock(&isp->smk_lock); 2696 return; 2697 } 2698 2699 /** 2700 * smack_getprocattr - Smack process attribute access 2701 * @p: the object task 2702 * @name: the name of the attribute in /proc/.../attr 2703 * @value: where to put the result 2704 * 2705 * Places a copy of the task Smack into value 2706 * 2707 * Returns the length of the smack label or an error code 2708 */ 2709 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2710 { 2711 char *cp; 2712 int slen; 2713 2714 if (strcmp(name, "current") != 0) 2715 return -EINVAL; 2716 2717 cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL); 2718 if (cp == NULL) 2719 return -ENOMEM; 2720 2721 slen = strlen(cp); 2722 *value = cp; 2723 return slen; 2724 } 2725 2726 /** 2727 * smack_setprocattr - Smack process attribute setting 2728 * @p: the object task 2729 * @name: the name of the attribute in /proc/.../attr 2730 * @value: the value to set 2731 * @size: the size of the value 2732 * 2733 * Sets the Smack value of the task. Only setting self 2734 * is permitted and only with privilege 2735 * 2736 * Returns the length of the smack label or an error code 2737 */ 2738 static int smack_setprocattr(struct task_struct *p, char *name, 2739 void *value, size_t size) 2740 { 2741 int rc; 2742 struct task_smack *tsp; 2743 struct task_smack *oldtsp; 2744 struct cred *new; 2745 char *newsmack; 2746 2747 /* 2748 * Changing another process' Smack value is too dangerous 2749 * and supports no sane use case. 2750 */ 2751 if (p != current) 2752 return -EPERM; 2753 2754 if (!capable(CAP_MAC_ADMIN)) 2755 return -EPERM; 2756 2757 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2758 return -EINVAL; 2759 2760 if (strcmp(name, "current") != 0) 2761 return -EINVAL; 2762 2763 newsmack = smk_import(value, size); 2764 if (newsmack == NULL) 2765 return -EINVAL; 2766 2767 /* 2768 * No process is ever allowed the web ("@") label. 2769 */ 2770 if (newsmack == smack_known_web.smk_known) 2771 return -EPERM; 2772 2773 oldtsp = p->cred->security; 2774 new = prepare_creds(); 2775 if (new == NULL) 2776 return -ENOMEM; 2777 2778 tsp = new_task_smack(newsmack, oldtsp->smk_forked, GFP_KERNEL); 2779 if (tsp == NULL) { 2780 kfree(new); 2781 return -ENOMEM; 2782 } 2783 rc = smk_copy_rules(&tsp->smk_rules, &oldtsp->smk_rules, GFP_KERNEL); 2784 if (rc != 0) 2785 return rc; 2786 2787 new->security = tsp; 2788 commit_creds(new); 2789 return size; 2790 } 2791 2792 /** 2793 * smack_unix_stream_connect - Smack access on UDS 2794 * @sock: one sock 2795 * @other: the other sock 2796 * @newsk: unused 2797 * 2798 * Return 0 if a subject with the smack of sock could access 2799 * an object with the smack of other, otherwise an error code 2800 */ 2801 static int smack_unix_stream_connect(struct sock *sock, 2802 struct sock *other, struct sock *newsk) 2803 { 2804 struct socket_smack *ssp = sock->sk_security; 2805 struct socket_smack *osp = other->sk_security; 2806 struct socket_smack *nsp = newsk->sk_security; 2807 struct smk_audit_info ad; 2808 int rc = 0; 2809 2810 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2811 smk_ad_setfield_u_net_sk(&ad, other); 2812 2813 if (!capable(CAP_MAC_OVERRIDE)) 2814 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2815 2816 /* 2817 * Cross reference the peer labels for SO_PEERSEC. 2818 */ 2819 if (rc == 0) { 2820 nsp->smk_packet = ssp->smk_out; 2821 ssp->smk_packet = osp->smk_out; 2822 } 2823 2824 return rc; 2825 } 2826 2827 /** 2828 * smack_unix_may_send - Smack access on UDS 2829 * @sock: one socket 2830 * @other: the other socket 2831 * 2832 * Return 0 if a subject with the smack of sock could access 2833 * an object with the smack of other, otherwise an error code 2834 */ 2835 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2836 { 2837 struct socket_smack *ssp = sock->sk->sk_security; 2838 struct socket_smack *osp = other->sk->sk_security; 2839 struct smk_audit_info ad; 2840 int rc = 0; 2841 2842 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2843 smk_ad_setfield_u_net_sk(&ad, other->sk); 2844 2845 if (!capable(CAP_MAC_OVERRIDE)) 2846 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2847 2848 return rc; 2849 } 2850 2851 /** 2852 * smack_socket_sendmsg - Smack check based on destination host 2853 * @sock: the socket 2854 * @msg: the message 2855 * @size: the size of the message 2856 * 2857 * Return 0 if the current subject can write to the destination 2858 * host. This is only a question if the destination is a single 2859 * label host. 2860 */ 2861 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2862 int size) 2863 { 2864 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2865 2866 /* 2867 * Perfectly reasonable for this to be NULL 2868 */ 2869 if (sip == NULL || sip->sin_family != AF_INET) 2870 return 0; 2871 2872 return smack_netlabel_send(sock->sk, sip); 2873 } 2874 2875 /** 2876 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2877 * @sap: netlabel secattr 2878 * @ssp: socket security information 2879 * 2880 * Returns a pointer to a Smack label found on the label list. 2881 */ 2882 static char *smack_from_secattr(struct netlbl_lsm_secattr *sap, 2883 struct socket_smack *ssp) 2884 { 2885 struct smack_known *skp; 2886 char smack[SMK_LABELLEN]; 2887 char *sp; 2888 int pcat; 2889 2890 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2891 /* 2892 * Looks like a CIPSO packet. 2893 * If there are flags but no level netlabel isn't 2894 * behaving the way we expect it to. 2895 * 2896 * Get the categories, if any 2897 * Without guidance regarding the smack value 2898 * for the packet fall back on the network 2899 * ambient value. 2900 */ 2901 memset(smack, '\0', SMK_LABELLEN); 2902 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2903 for (pcat = -1;;) { 2904 pcat = netlbl_secattr_catmap_walk( 2905 sap->attr.mls.cat, pcat + 1); 2906 if (pcat < 0) 2907 break; 2908 smack_catset_bit(pcat, smack); 2909 } 2910 /* 2911 * If it is CIPSO using smack direct mapping 2912 * we are already done. WeeHee. 2913 */ 2914 if (sap->attr.mls.lvl == smack_cipso_direct) { 2915 /* 2916 * The label sent is usually on the label list. 2917 * 2918 * If it is not we may still want to allow the 2919 * delivery. 2920 * 2921 * If the recipient is accepting all packets 2922 * because it is using the star ("*") label 2923 * for SMACK64IPIN provide the web ("@") label 2924 * so that a directed response will succeed. 2925 * This is not very correct from a MAC point 2926 * of view, but gets around the problem that 2927 * locking prevents adding the newly discovered 2928 * label to the list. 2929 * The case where the recipient is not using 2930 * the star label should obviously fail. 2931 * The easy way to do this is to provide the 2932 * star label as the subject label. 2933 */ 2934 skp = smk_find_entry(smack); 2935 if (skp != NULL) 2936 return skp->smk_known; 2937 if (ssp != NULL && 2938 ssp->smk_in == smack_known_star.smk_known) 2939 return smack_known_web.smk_known; 2940 return smack_known_star.smk_known; 2941 } 2942 /* 2943 * Look it up in the supplied table if it is not 2944 * a direct mapping. 2945 */ 2946 sp = smack_from_cipso(sap->attr.mls.lvl, smack); 2947 if (sp != NULL) 2948 return sp; 2949 if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known) 2950 return smack_known_web.smk_known; 2951 return smack_known_star.smk_known; 2952 } 2953 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2954 /* 2955 * Looks like a fallback, which gives us a secid. 2956 */ 2957 sp = smack_from_secid(sap->attr.secid); 2958 /* 2959 * This has got to be a bug because it is 2960 * impossible to specify a fallback without 2961 * specifying the label, which will ensure 2962 * it has a secid, and the only way to get a 2963 * secid is from a fallback. 2964 */ 2965 BUG_ON(sp == NULL); 2966 return sp; 2967 } 2968 /* 2969 * Without guidance regarding the smack value 2970 * for the packet fall back on the network 2971 * ambient value. 2972 */ 2973 return smack_net_ambient; 2974 } 2975 2976 /** 2977 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2978 * @sk: socket 2979 * @skb: packet 2980 * 2981 * Returns 0 if the packet should be delivered, an error code otherwise 2982 */ 2983 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2984 { 2985 struct netlbl_lsm_secattr secattr; 2986 struct socket_smack *ssp = sk->sk_security; 2987 char *csp; 2988 int rc; 2989 struct smk_audit_info ad; 2990 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2991 return 0; 2992 2993 /* 2994 * Translate what netlabel gave us. 2995 */ 2996 netlbl_secattr_init(&secattr); 2997 2998 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2999 if (rc == 0) 3000 csp = smack_from_secattr(&secattr, ssp); 3001 else 3002 csp = smack_net_ambient; 3003 3004 netlbl_secattr_destroy(&secattr); 3005 3006 #ifdef CONFIG_AUDIT 3007 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 3008 ad.a.u.net.family = sk->sk_family; 3009 ad.a.u.net.netif = skb->skb_iif; 3010 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3011 #endif 3012 /* 3013 * Receiving a packet requires that the other end 3014 * be able to write here. Read access is not required. 3015 * This is the simplist possible security model 3016 * for networking. 3017 */ 3018 rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad); 3019 if (rc != 0) 3020 netlbl_skbuff_err(skb, rc, 0); 3021 return rc; 3022 } 3023 3024 /** 3025 * smack_socket_getpeersec_stream - pull in packet label 3026 * @sock: the socket 3027 * @optval: user's destination 3028 * @optlen: size thereof 3029 * @len: max thereof 3030 * 3031 * returns zero on success, an error code otherwise 3032 */ 3033 static int smack_socket_getpeersec_stream(struct socket *sock, 3034 char __user *optval, 3035 int __user *optlen, unsigned len) 3036 { 3037 struct socket_smack *ssp; 3038 char *rcp = ""; 3039 int slen = 1; 3040 int rc = 0; 3041 3042 ssp = sock->sk->sk_security; 3043 if (ssp->smk_packet != NULL) { 3044 rcp = ssp->smk_packet; 3045 slen = strlen(rcp) + 1; 3046 } 3047 3048 if (slen > len) 3049 rc = -ERANGE; 3050 else if (copy_to_user(optval, rcp, slen) != 0) 3051 rc = -EFAULT; 3052 3053 if (put_user(slen, optlen) != 0) 3054 rc = -EFAULT; 3055 3056 return rc; 3057 } 3058 3059 3060 /** 3061 * smack_socket_getpeersec_dgram - pull in packet label 3062 * @sock: the peer socket 3063 * @skb: packet data 3064 * @secid: pointer to where to put the secid of the packet 3065 * 3066 * Sets the netlabel socket state on sk from parent 3067 */ 3068 static int smack_socket_getpeersec_dgram(struct socket *sock, 3069 struct sk_buff *skb, u32 *secid) 3070 3071 { 3072 struct netlbl_lsm_secattr secattr; 3073 struct socket_smack *ssp = NULL; 3074 char *sp; 3075 int family = PF_UNSPEC; 3076 u32 s = 0; /* 0 is the invalid secid */ 3077 int rc; 3078 3079 if (skb != NULL) { 3080 if (skb->protocol == htons(ETH_P_IP)) 3081 family = PF_INET; 3082 else if (skb->protocol == htons(ETH_P_IPV6)) 3083 family = PF_INET6; 3084 } 3085 if (family == PF_UNSPEC && sock != NULL) 3086 family = sock->sk->sk_family; 3087 3088 if (family == PF_UNIX) { 3089 ssp = sock->sk->sk_security; 3090 s = smack_to_secid(ssp->smk_out); 3091 } else if (family == PF_INET || family == PF_INET6) { 3092 /* 3093 * Translate what netlabel gave us. 3094 */ 3095 if (sock != NULL && sock->sk != NULL) 3096 ssp = sock->sk->sk_security; 3097 netlbl_secattr_init(&secattr); 3098 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3099 if (rc == 0) { 3100 sp = smack_from_secattr(&secattr, ssp); 3101 s = smack_to_secid(sp); 3102 } 3103 netlbl_secattr_destroy(&secattr); 3104 } 3105 *secid = s; 3106 if (s == 0) 3107 return -EINVAL; 3108 return 0; 3109 } 3110 3111 /** 3112 * smack_sock_graft - Initialize a newly created socket with an existing sock 3113 * @sk: child sock 3114 * @parent: parent socket 3115 * 3116 * Set the smk_{in,out} state of an existing sock based on the process that 3117 * is creating the new socket. 3118 */ 3119 static void smack_sock_graft(struct sock *sk, struct socket *parent) 3120 { 3121 struct socket_smack *ssp; 3122 3123 if (sk == NULL || 3124 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 3125 return; 3126 3127 ssp = sk->sk_security; 3128 ssp->smk_in = ssp->smk_out = smk_of_current(); 3129 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 3130 } 3131 3132 /** 3133 * smack_inet_conn_request - Smack access check on connect 3134 * @sk: socket involved 3135 * @skb: packet 3136 * @req: unused 3137 * 3138 * Returns 0 if a task with the packet label could write to 3139 * the socket, otherwise an error code 3140 */ 3141 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 3142 struct request_sock *req) 3143 { 3144 u16 family = sk->sk_family; 3145 struct socket_smack *ssp = sk->sk_security; 3146 struct netlbl_lsm_secattr secattr; 3147 struct sockaddr_in addr; 3148 struct iphdr *hdr; 3149 char *sp; 3150 int rc; 3151 struct smk_audit_info ad; 3152 3153 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 3154 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3155 family = PF_INET; 3156 3157 netlbl_secattr_init(&secattr); 3158 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3159 if (rc == 0) 3160 sp = smack_from_secattr(&secattr, ssp); 3161 else 3162 sp = smack_known_huh.smk_known; 3163 netlbl_secattr_destroy(&secattr); 3164 3165 #ifdef CONFIG_AUDIT 3166 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 3167 ad.a.u.net.family = family; 3168 ad.a.u.net.netif = skb->skb_iif; 3169 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3170 #endif 3171 /* 3172 * Receiving a packet requires that the other end be able to write 3173 * here. Read access is not required. 3174 */ 3175 rc = smk_access(sp, ssp->smk_in, MAY_WRITE, &ad); 3176 if (rc != 0) 3177 return rc; 3178 3179 /* 3180 * Save the peer's label in the request_sock so we can later setup 3181 * smk_packet in the child socket so that SO_PEERCRED can report it. 3182 */ 3183 req->peer_secid = smack_to_secid(sp); 3184 3185 /* 3186 * We need to decide if we want to label the incoming connection here 3187 * if we do we only need to label the request_sock and the stack will 3188 * propagate the wire-label to the sock when it is created. 3189 */ 3190 hdr = ip_hdr(skb); 3191 addr.sin_addr.s_addr = hdr->saddr; 3192 rcu_read_lock(); 3193 if (smack_host_label(&addr) == NULL) { 3194 rcu_read_unlock(); 3195 netlbl_secattr_init(&secattr); 3196 smack_to_secattr(sp, &secattr); 3197 rc = netlbl_req_setattr(req, &secattr); 3198 netlbl_secattr_destroy(&secattr); 3199 } else { 3200 rcu_read_unlock(); 3201 netlbl_req_delattr(req); 3202 } 3203 3204 return rc; 3205 } 3206 3207 /** 3208 * smack_inet_csk_clone - Copy the connection information to the new socket 3209 * @sk: the new socket 3210 * @req: the connection's request_sock 3211 * 3212 * Transfer the connection's peer label to the newly created socket. 3213 */ 3214 static void smack_inet_csk_clone(struct sock *sk, 3215 const struct request_sock *req) 3216 { 3217 struct socket_smack *ssp = sk->sk_security; 3218 3219 if (req->peer_secid != 0) 3220 ssp->smk_packet = smack_from_secid(req->peer_secid); 3221 else 3222 ssp->smk_packet = NULL; 3223 } 3224 3225 /* 3226 * Key management security hooks 3227 * 3228 * Casey has not tested key support very heavily. 3229 * The permission check is most likely too restrictive. 3230 * If you care about keys please have a look. 3231 */ 3232 #ifdef CONFIG_KEYS 3233 3234 /** 3235 * smack_key_alloc - Set the key security blob 3236 * @key: object 3237 * @cred: the credentials to use 3238 * @flags: unused 3239 * 3240 * No allocation required 3241 * 3242 * Returns 0 3243 */ 3244 static int smack_key_alloc(struct key *key, const struct cred *cred, 3245 unsigned long flags) 3246 { 3247 key->security = smk_of_task(cred->security); 3248 return 0; 3249 } 3250 3251 /** 3252 * smack_key_free - Clear the key security blob 3253 * @key: the object 3254 * 3255 * Clear the blob pointer 3256 */ 3257 static void smack_key_free(struct key *key) 3258 { 3259 key->security = NULL; 3260 } 3261 3262 /* 3263 * smack_key_permission - Smack access on a key 3264 * @key_ref: gets to the object 3265 * @cred: the credentials to use 3266 * @perm: unused 3267 * 3268 * Return 0 if the task has read and write to the object, 3269 * an error code otherwise 3270 */ 3271 static int smack_key_permission(key_ref_t key_ref, 3272 const struct cred *cred, key_perm_t perm) 3273 { 3274 struct key *keyp; 3275 struct smk_audit_info ad; 3276 char *tsp = smk_of_task(cred->security); 3277 3278 keyp = key_ref_to_ptr(key_ref); 3279 if (keyp == NULL) 3280 return -EINVAL; 3281 /* 3282 * If the key hasn't been initialized give it access so that 3283 * it may do so. 3284 */ 3285 if (keyp->security == NULL) 3286 return 0; 3287 /* 3288 * This should not occur 3289 */ 3290 if (tsp == NULL) 3291 return -EACCES; 3292 #ifdef CONFIG_AUDIT 3293 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 3294 ad.a.u.key_struct.key = keyp->serial; 3295 ad.a.u.key_struct.key_desc = keyp->description; 3296 #endif 3297 return smk_access(tsp, keyp->security, 3298 MAY_READWRITE, &ad); 3299 } 3300 #endif /* CONFIG_KEYS */ 3301 3302 /* 3303 * Smack Audit hooks 3304 * 3305 * Audit requires a unique representation of each Smack specific 3306 * rule. This unique representation is used to distinguish the 3307 * object to be audited from remaining kernel objects and also 3308 * works as a glue between the audit hooks. 3309 * 3310 * Since repository entries are added but never deleted, we'll use 3311 * the smack_known label address related to the given audit rule as 3312 * the needed unique representation. This also better fits the smack 3313 * model where nearly everything is a label. 3314 */ 3315 #ifdef CONFIG_AUDIT 3316 3317 /** 3318 * smack_audit_rule_init - Initialize a smack audit rule 3319 * @field: audit rule fields given from user-space (audit.h) 3320 * @op: required testing operator (=, !=, >, <, ...) 3321 * @rulestr: smack label to be audited 3322 * @vrule: pointer to save our own audit rule representation 3323 * 3324 * Prepare to audit cases where (@field @op @rulestr) is true. 3325 * The label to be audited is created if necessay. 3326 */ 3327 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3328 { 3329 char **rule = (char **)vrule; 3330 *rule = NULL; 3331 3332 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3333 return -EINVAL; 3334 3335 if (op != Audit_equal && op != Audit_not_equal) 3336 return -EINVAL; 3337 3338 *rule = smk_import(rulestr, 0); 3339 3340 return 0; 3341 } 3342 3343 /** 3344 * smack_audit_rule_known - Distinguish Smack audit rules 3345 * @krule: rule of interest, in Audit kernel representation format 3346 * 3347 * This is used to filter Smack rules from remaining Audit ones. 3348 * If it's proved that this rule belongs to us, the 3349 * audit_rule_match hook will be called to do the final judgement. 3350 */ 3351 static int smack_audit_rule_known(struct audit_krule *krule) 3352 { 3353 struct audit_field *f; 3354 int i; 3355 3356 for (i = 0; i < krule->field_count; i++) { 3357 f = &krule->fields[i]; 3358 3359 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 3360 return 1; 3361 } 3362 3363 return 0; 3364 } 3365 3366 /** 3367 * smack_audit_rule_match - Audit given object ? 3368 * @secid: security id for identifying the object to test 3369 * @field: audit rule flags given from user-space 3370 * @op: required testing operator 3371 * @vrule: smack internal rule presentation 3372 * @actx: audit context associated with the check 3373 * 3374 * The core Audit hook. It's used to take the decision of 3375 * whether to audit or not to audit a given object. 3376 */ 3377 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 3378 struct audit_context *actx) 3379 { 3380 char *smack; 3381 char *rule = vrule; 3382 3383 if (!rule) { 3384 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 3385 "Smack: missing rule\n"); 3386 return -ENOENT; 3387 } 3388 3389 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3390 return 0; 3391 3392 smack = smack_from_secid(secid); 3393 3394 /* 3395 * No need to do string comparisons. If a match occurs, 3396 * both pointers will point to the same smack_known 3397 * label. 3398 */ 3399 if (op == Audit_equal) 3400 return (rule == smack); 3401 if (op == Audit_not_equal) 3402 return (rule != smack); 3403 3404 return 0; 3405 } 3406 3407 /** 3408 * smack_audit_rule_free - free smack rule representation 3409 * @vrule: rule to be freed. 3410 * 3411 * No memory was allocated. 3412 */ 3413 static void smack_audit_rule_free(void *vrule) 3414 { 3415 /* No-op */ 3416 } 3417 3418 #endif /* CONFIG_AUDIT */ 3419 3420 /** 3421 * smack_secid_to_secctx - return the smack label for a secid 3422 * @secid: incoming integer 3423 * @secdata: destination 3424 * @seclen: how long it is 3425 * 3426 * Exists for networking code. 3427 */ 3428 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 3429 { 3430 char *sp = smack_from_secid(secid); 3431 3432 if (secdata) 3433 *secdata = sp; 3434 *seclen = strlen(sp); 3435 return 0; 3436 } 3437 3438 /** 3439 * smack_secctx_to_secid - return the secid for a smack label 3440 * @secdata: smack label 3441 * @seclen: how long result is 3442 * @secid: outgoing integer 3443 * 3444 * Exists for audit and networking code. 3445 */ 3446 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 3447 { 3448 *secid = smack_to_secid(secdata); 3449 return 0; 3450 } 3451 3452 /** 3453 * smack_release_secctx - don't do anything. 3454 * @secdata: unused 3455 * @seclen: unused 3456 * 3457 * Exists to make sure nothing gets done, and properly 3458 */ 3459 static void smack_release_secctx(char *secdata, u32 seclen) 3460 { 3461 } 3462 3463 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 3464 { 3465 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 3466 } 3467 3468 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 3469 { 3470 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 3471 } 3472 3473 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 3474 { 3475 int len = 0; 3476 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 3477 3478 if (len < 0) 3479 return len; 3480 *ctxlen = len; 3481 return 0; 3482 } 3483 3484 struct security_operations smack_ops = { 3485 .name = "smack", 3486 3487 .ptrace_access_check = smack_ptrace_access_check, 3488 .ptrace_traceme = smack_ptrace_traceme, 3489 .syslog = smack_syslog, 3490 3491 .sb_alloc_security = smack_sb_alloc_security, 3492 .sb_free_security = smack_sb_free_security, 3493 .sb_copy_data = smack_sb_copy_data, 3494 .sb_kern_mount = smack_sb_kern_mount, 3495 .sb_statfs = smack_sb_statfs, 3496 .sb_mount = smack_sb_mount, 3497 .sb_umount = smack_sb_umount, 3498 3499 .bprm_set_creds = smack_bprm_set_creds, 3500 .bprm_committing_creds = smack_bprm_committing_creds, 3501 .bprm_secureexec = smack_bprm_secureexec, 3502 3503 .inode_alloc_security = smack_inode_alloc_security, 3504 .inode_free_security = smack_inode_free_security, 3505 .inode_init_security = smack_inode_init_security, 3506 .inode_link = smack_inode_link, 3507 .inode_unlink = smack_inode_unlink, 3508 .inode_rmdir = smack_inode_rmdir, 3509 .inode_rename = smack_inode_rename, 3510 .inode_permission = smack_inode_permission, 3511 .inode_setattr = smack_inode_setattr, 3512 .inode_getattr = smack_inode_getattr, 3513 .inode_setxattr = smack_inode_setxattr, 3514 .inode_post_setxattr = smack_inode_post_setxattr, 3515 .inode_getxattr = smack_inode_getxattr, 3516 .inode_removexattr = smack_inode_removexattr, 3517 .inode_getsecurity = smack_inode_getsecurity, 3518 .inode_setsecurity = smack_inode_setsecurity, 3519 .inode_listsecurity = smack_inode_listsecurity, 3520 .inode_getsecid = smack_inode_getsecid, 3521 3522 .file_permission = smack_file_permission, 3523 .file_alloc_security = smack_file_alloc_security, 3524 .file_free_security = smack_file_free_security, 3525 .file_ioctl = smack_file_ioctl, 3526 .file_lock = smack_file_lock, 3527 .file_fcntl = smack_file_fcntl, 3528 .file_mmap = smack_file_mmap, 3529 .file_set_fowner = smack_file_set_fowner, 3530 .file_send_sigiotask = smack_file_send_sigiotask, 3531 .file_receive = smack_file_receive, 3532 3533 .dentry_open = smack_dentry_open, 3534 3535 .cred_alloc_blank = smack_cred_alloc_blank, 3536 .cred_free = smack_cred_free, 3537 .cred_prepare = smack_cred_prepare, 3538 .cred_transfer = smack_cred_transfer, 3539 .kernel_act_as = smack_kernel_act_as, 3540 .kernel_create_files_as = smack_kernel_create_files_as, 3541 .task_setpgid = smack_task_setpgid, 3542 .task_getpgid = smack_task_getpgid, 3543 .task_getsid = smack_task_getsid, 3544 .task_getsecid = smack_task_getsecid, 3545 .task_setnice = smack_task_setnice, 3546 .task_setioprio = smack_task_setioprio, 3547 .task_getioprio = smack_task_getioprio, 3548 .task_setscheduler = smack_task_setscheduler, 3549 .task_getscheduler = smack_task_getscheduler, 3550 .task_movememory = smack_task_movememory, 3551 .task_kill = smack_task_kill, 3552 .task_wait = smack_task_wait, 3553 .task_to_inode = smack_task_to_inode, 3554 3555 .ipc_permission = smack_ipc_permission, 3556 .ipc_getsecid = smack_ipc_getsecid, 3557 3558 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 3559 .msg_msg_free_security = smack_msg_msg_free_security, 3560 3561 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 3562 .msg_queue_free_security = smack_msg_queue_free_security, 3563 .msg_queue_associate = smack_msg_queue_associate, 3564 .msg_queue_msgctl = smack_msg_queue_msgctl, 3565 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 3566 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 3567 3568 .shm_alloc_security = smack_shm_alloc_security, 3569 .shm_free_security = smack_shm_free_security, 3570 .shm_associate = smack_shm_associate, 3571 .shm_shmctl = smack_shm_shmctl, 3572 .shm_shmat = smack_shm_shmat, 3573 3574 .sem_alloc_security = smack_sem_alloc_security, 3575 .sem_free_security = smack_sem_free_security, 3576 .sem_associate = smack_sem_associate, 3577 .sem_semctl = smack_sem_semctl, 3578 .sem_semop = smack_sem_semop, 3579 3580 .d_instantiate = smack_d_instantiate, 3581 3582 .getprocattr = smack_getprocattr, 3583 .setprocattr = smack_setprocattr, 3584 3585 .unix_stream_connect = smack_unix_stream_connect, 3586 .unix_may_send = smack_unix_may_send, 3587 3588 .socket_post_create = smack_socket_post_create, 3589 .socket_connect = smack_socket_connect, 3590 .socket_sendmsg = smack_socket_sendmsg, 3591 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 3592 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 3593 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 3594 .sk_alloc_security = smack_sk_alloc_security, 3595 .sk_free_security = smack_sk_free_security, 3596 .sock_graft = smack_sock_graft, 3597 .inet_conn_request = smack_inet_conn_request, 3598 .inet_csk_clone = smack_inet_csk_clone, 3599 3600 /* key management security hooks */ 3601 #ifdef CONFIG_KEYS 3602 .key_alloc = smack_key_alloc, 3603 .key_free = smack_key_free, 3604 .key_permission = smack_key_permission, 3605 #endif /* CONFIG_KEYS */ 3606 3607 /* Audit hooks */ 3608 #ifdef CONFIG_AUDIT 3609 .audit_rule_init = smack_audit_rule_init, 3610 .audit_rule_known = smack_audit_rule_known, 3611 .audit_rule_match = smack_audit_rule_match, 3612 .audit_rule_free = smack_audit_rule_free, 3613 #endif /* CONFIG_AUDIT */ 3614 3615 .secid_to_secctx = smack_secid_to_secctx, 3616 .secctx_to_secid = smack_secctx_to_secid, 3617 .release_secctx = smack_release_secctx, 3618 .inode_notifysecctx = smack_inode_notifysecctx, 3619 .inode_setsecctx = smack_inode_setsecctx, 3620 .inode_getsecctx = smack_inode_getsecctx, 3621 }; 3622 3623 3624 static __init void init_smack_know_list(void) 3625 { 3626 list_add(&smack_known_huh.list, &smack_known_list); 3627 list_add(&smack_known_hat.list, &smack_known_list); 3628 list_add(&smack_known_star.list, &smack_known_list); 3629 list_add(&smack_known_floor.list, &smack_known_list); 3630 list_add(&smack_known_invalid.list, &smack_known_list); 3631 list_add(&smack_known_web.list, &smack_known_list); 3632 } 3633 3634 /** 3635 * smack_init - initialize the smack system 3636 * 3637 * Returns 0 3638 */ 3639 static __init int smack_init(void) 3640 { 3641 struct cred *cred; 3642 struct task_smack *tsp; 3643 3644 if (!security_module_enable(&smack_ops)) 3645 return 0; 3646 3647 tsp = new_task_smack(smack_known_floor.smk_known, 3648 smack_known_floor.smk_known, GFP_KERNEL); 3649 if (tsp == NULL) 3650 return -ENOMEM; 3651 3652 printk(KERN_INFO "Smack: Initializing.\n"); 3653 3654 /* 3655 * Set the security state for the initial task. 3656 */ 3657 cred = (struct cred *) current->cred; 3658 cred->security = tsp; 3659 3660 /* initialize the smack_know_list */ 3661 init_smack_know_list(); 3662 /* 3663 * Initialize locks 3664 */ 3665 spin_lock_init(&smack_known_huh.smk_cipsolock); 3666 spin_lock_init(&smack_known_hat.smk_cipsolock); 3667 spin_lock_init(&smack_known_star.smk_cipsolock); 3668 spin_lock_init(&smack_known_floor.smk_cipsolock); 3669 spin_lock_init(&smack_known_invalid.smk_cipsolock); 3670 3671 /* 3672 * Register with LSM 3673 */ 3674 if (register_security(&smack_ops)) 3675 panic("smack: Unable to register with kernel.\n"); 3676 3677 return 0; 3678 } 3679 3680 /* 3681 * Smack requires early initialization in order to label 3682 * all processes and objects when they are created. 3683 */ 3684 security_initcall(smack_init); 3685