1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 smack_str_from_perm(s, mode); 111 } 112 #endif 113 114 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 115 static int smk_bu_note(char *note, struct smack_known *sskp, 116 struct smack_known *oskp, int mode, int rc) 117 { 118 char acc[SMK_NUM_ACCESS_TYPE + 1]; 119 120 if (rc <= 0) 121 return rc; 122 if (rc > SMACK_UNCONFINED_OBJECT) 123 rc = 0; 124 125 smk_bu_mode(mode, acc); 126 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 127 sskp->smk_known, oskp->smk_known, acc, note); 128 return 0; 129 } 130 #else 131 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 132 #endif 133 134 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 135 static int smk_bu_current(char *note, struct smack_known *oskp, 136 int mode, int rc) 137 { 138 struct task_smack *tsp = smack_cred(current_cred()); 139 char acc[SMK_NUM_ACCESS_TYPE + 1]; 140 141 if (rc <= 0) 142 return rc; 143 if (rc > SMACK_UNCONFINED_OBJECT) 144 rc = 0; 145 146 smk_bu_mode(mode, acc); 147 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 148 tsp->smk_task->smk_known, oskp->smk_known, 149 acc, current->comm, note); 150 return 0; 151 } 152 #else 153 #define smk_bu_current(note, oskp, mode, RC) (RC) 154 #endif 155 156 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 157 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 158 { 159 struct task_smack *tsp = smack_cred(current_cred()); 160 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 161 char acc[SMK_NUM_ACCESS_TYPE + 1]; 162 163 if (rc <= 0) 164 return rc; 165 if (rc > SMACK_UNCONFINED_OBJECT) 166 rc = 0; 167 168 smk_bu_mode(mode, acc); 169 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 170 tsp->smk_task->smk_known, smk_task->smk_known, acc, 171 current->comm, otp->comm); 172 return 0; 173 } 174 #else 175 #define smk_bu_task(otp, mode, RC) (RC) 176 #endif 177 178 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 179 static int smk_bu_inode(struct inode *inode, int mode, int rc) 180 { 181 struct task_smack *tsp = smack_cred(current_cred()); 182 struct inode_smack *isp = smack_inode(inode); 183 char acc[SMK_NUM_ACCESS_TYPE + 1]; 184 185 if (isp->smk_flags & SMK_INODE_IMPURE) 186 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 187 inode->i_sb->s_id, inode->i_ino, current->comm); 188 189 if (rc <= 0) 190 return rc; 191 if (rc > SMACK_UNCONFINED_OBJECT) 192 rc = 0; 193 if (rc == SMACK_UNCONFINED_SUBJECT && 194 (mode & (MAY_WRITE | MAY_APPEND))) 195 isp->smk_flags |= SMK_INODE_IMPURE; 196 197 smk_bu_mode(mode, acc); 198 199 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 200 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 201 inode->i_sb->s_id, inode->i_ino, current->comm); 202 return 0; 203 } 204 #else 205 #define smk_bu_inode(inode, mode, RC) (RC) 206 #endif 207 208 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 209 static int smk_bu_file(struct file *file, int mode, int rc) 210 { 211 struct task_smack *tsp = smack_cred(current_cred()); 212 struct smack_known *sskp = tsp->smk_task; 213 struct inode *inode = file_inode(file); 214 struct inode_smack *isp = smack_inode(inode); 215 char acc[SMK_NUM_ACCESS_TYPE + 1]; 216 217 if (isp->smk_flags & SMK_INODE_IMPURE) 218 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 219 inode->i_sb->s_id, inode->i_ino, current->comm); 220 221 if (rc <= 0) 222 return rc; 223 if (rc > SMACK_UNCONFINED_OBJECT) 224 rc = 0; 225 226 smk_bu_mode(mode, acc); 227 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 228 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 229 inode->i_sb->s_id, inode->i_ino, file, 230 current->comm); 231 return 0; 232 } 233 #else 234 #define smk_bu_file(file, mode, RC) (RC) 235 #endif 236 237 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 238 static int smk_bu_credfile(const struct cred *cred, struct file *file, 239 int mode, int rc) 240 { 241 struct task_smack *tsp = smack_cred(cred); 242 struct smack_known *sskp = tsp->smk_task; 243 struct inode *inode = file_inode(file); 244 struct inode_smack *isp = smack_inode(inode); 245 char acc[SMK_NUM_ACCESS_TYPE + 1]; 246 247 if (isp->smk_flags & SMK_INODE_IMPURE) 248 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 249 inode->i_sb->s_id, inode->i_ino, current->comm); 250 251 if (rc <= 0) 252 return rc; 253 if (rc > SMACK_UNCONFINED_OBJECT) 254 rc = 0; 255 256 smk_bu_mode(mode, acc); 257 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 258 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 259 inode->i_sb->s_id, inode->i_ino, file, 260 current->comm); 261 return 0; 262 } 263 #else 264 #define smk_bu_credfile(cred, file, mode, RC) (RC) 265 #endif 266 267 /** 268 * smk_fetch - Fetch the smack label from a file. 269 * @name: type of the label (attribute) 270 * @ip: a pointer to the inode 271 * @dp: a pointer to the dentry 272 * 273 * Returns a pointer to the master list entry for the Smack label, 274 * NULL if there was no label to fetch, or an error code. 275 */ 276 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 277 struct dentry *dp) 278 { 279 int rc; 280 char *buffer; 281 struct smack_known *skp = NULL; 282 283 if (!(ip->i_opflags & IOP_XATTR)) 284 return ERR_PTR(-EOPNOTSUPP); 285 286 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 287 if (buffer == NULL) 288 return ERR_PTR(-ENOMEM); 289 290 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 291 if (rc < 0) 292 skp = ERR_PTR(rc); 293 else if (rc == 0) 294 skp = NULL; 295 else 296 skp = smk_import_entry(buffer, rc); 297 298 kfree(buffer); 299 300 return skp; 301 } 302 303 /** 304 * init_inode_smack - initialize an inode security blob 305 * @inode: inode to extract the info from 306 * @skp: a pointer to the Smack label entry to use in the blob 307 * 308 */ 309 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 310 { 311 struct inode_smack *isp = smack_inode(inode); 312 313 isp->smk_inode = skp; 314 isp->smk_flags = 0; 315 } 316 317 /** 318 * init_task_smack - initialize a task security blob 319 * @tsp: blob to initialize 320 * @task: a pointer to the Smack label for the running task 321 * @forked: a pointer to the Smack label for the forked task 322 * 323 */ 324 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 325 struct smack_known *forked) 326 { 327 tsp->smk_task = task; 328 tsp->smk_forked = forked; 329 INIT_LIST_HEAD(&tsp->smk_rules); 330 INIT_LIST_HEAD(&tsp->smk_relabel); 331 mutex_init(&tsp->smk_rules_lock); 332 } 333 334 /** 335 * smk_copy_rules - copy a rule set 336 * @nhead: new rules header pointer 337 * @ohead: old rules header pointer 338 * @gfp: type of the memory for the allocation 339 * 340 * Returns 0 on success, -ENOMEM on error 341 */ 342 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 343 gfp_t gfp) 344 { 345 struct smack_rule *nrp; 346 struct smack_rule *orp; 347 int rc = 0; 348 349 list_for_each_entry_rcu(orp, ohead, list) { 350 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 351 if (nrp == NULL) { 352 rc = -ENOMEM; 353 break; 354 } 355 *nrp = *orp; 356 list_add_rcu(&nrp->list, nhead); 357 } 358 return rc; 359 } 360 361 /** 362 * smk_copy_relabel - copy smk_relabel labels list 363 * @nhead: new rules header pointer 364 * @ohead: old rules header pointer 365 * @gfp: type of the memory for the allocation 366 * 367 * Returns 0 on success, -ENOMEM on error 368 */ 369 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 370 gfp_t gfp) 371 { 372 struct smack_known_list_elem *nklep; 373 struct smack_known_list_elem *oklep; 374 375 list_for_each_entry(oklep, ohead, list) { 376 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 377 if (nklep == NULL) { 378 smk_destroy_label_list(nhead); 379 return -ENOMEM; 380 } 381 nklep->smk_label = oklep->smk_label; 382 list_add(&nklep->list, nhead); 383 } 384 385 return 0; 386 } 387 388 /** 389 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 390 * @mode: input mode in form of PTRACE_MODE_* 391 * 392 * Returns a converted MAY_* mode usable by smack rules 393 */ 394 static inline unsigned int smk_ptrace_mode(unsigned int mode) 395 { 396 if (mode & PTRACE_MODE_ATTACH) 397 return MAY_READWRITE; 398 if (mode & PTRACE_MODE_READ) 399 return MAY_READ; 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_rule_check - helper for ptrace access 406 * @tracer: tracer process 407 * @tracee_known: label entry of the process that's about to be traced 408 * @mode: ptrace attachment mode (PTRACE_MODE_*) 409 * @func: name of the function that called us, used for audit 410 * 411 * Returns 0 on access granted, -error on error 412 */ 413 static int smk_ptrace_rule_check(struct task_struct *tracer, 414 struct smack_known *tracee_known, 415 unsigned int mode, const char *func) 416 { 417 int rc; 418 struct smk_audit_info ad, *saip = NULL; 419 struct task_smack *tsp; 420 struct smack_known *tracer_known; 421 const struct cred *tracercred; 422 423 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 424 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 425 smk_ad_setfield_u_tsk(&ad, tracer); 426 saip = &ad; 427 } 428 429 rcu_read_lock(); 430 tracercred = __task_cred(tracer); 431 tsp = smack_cred(tracercred); 432 tracer_known = smk_of_task(tsp); 433 434 if ((mode & PTRACE_MODE_ATTACH) && 435 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 436 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 437 if (tracer_known->smk_known == tracee_known->smk_known) 438 rc = 0; 439 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 440 rc = -EACCES; 441 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 442 rc = 0; 443 else 444 rc = -EACCES; 445 446 if (saip) 447 smack_log(tracer_known->smk_known, 448 tracee_known->smk_known, 449 0, rc, saip); 450 451 rcu_read_unlock(); 452 return rc; 453 } 454 455 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 456 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 457 458 rcu_read_unlock(); 459 return rc; 460 } 461 462 /* 463 * LSM hooks. 464 * We he, that is fun! 465 */ 466 467 /** 468 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 469 * @ctp: child task pointer 470 * @mode: ptrace attachment mode (PTRACE_MODE_*) 471 * 472 * Returns 0 if access is OK, an error code otherwise 473 * 474 * Do the capability checks. 475 */ 476 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 477 { 478 struct smack_known *skp; 479 480 skp = smk_of_task_struct_obj(ctp); 481 482 return smk_ptrace_rule_check(current, skp, mode, __func__); 483 } 484 485 /** 486 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 487 * @ptp: parent task pointer 488 * 489 * Returns 0 if access is OK, an error code otherwise 490 * 491 * Do the capability checks, and require PTRACE_MODE_ATTACH. 492 */ 493 static int smack_ptrace_traceme(struct task_struct *ptp) 494 { 495 struct smack_known *skp; 496 497 skp = smk_of_task(smack_cred(current_cred())); 498 499 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 500 } 501 502 /** 503 * smack_syslog - Smack approval on syslog 504 * @typefrom_file: unused 505 * 506 * Returns 0 on success, error code otherwise. 507 */ 508 static int smack_syslog(int typefrom_file) 509 { 510 int rc = 0; 511 struct smack_known *skp = smk_of_current(); 512 513 if (smack_privileged(CAP_MAC_OVERRIDE)) 514 return 0; 515 516 if (smack_syslog_label != NULL && smack_syslog_label != skp) 517 rc = -EACCES; 518 519 return rc; 520 } 521 522 /* 523 * Superblock Hooks. 524 */ 525 526 /** 527 * smack_sb_alloc_security - allocate a superblock blob 528 * @sb: the superblock getting the blob 529 * 530 * Returns 0 on success or -ENOMEM on error. 531 */ 532 static int smack_sb_alloc_security(struct super_block *sb) 533 { 534 struct superblock_smack *sbsp = smack_superblock(sb); 535 536 sbsp->smk_root = &smack_known_floor; 537 sbsp->smk_default = &smack_known_floor; 538 sbsp->smk_floor = &smack_known_floor; 539 sbsp->smk_hat = &smack_known_hat; 540 /* 541 * SMK_SB_INITIALIZED will be zero from kzalloc. 542 */ 543 544 return 0; 545 } 546 547 struct smack_mnt_opts { 548 const char *fsdefault; 549 const char *fsfloor; 550 const char *fshat; 551 const char *fsroot; 552 const char *fstransmute; 553 }; 554 555 static void smack_free_mnt_opts(void *mnt_opts) 556 { 557 kfree(mnt_opts); 558 } 559 560 static int smack_add_opt(int token, const char *s, void **mnt_opts) 561 { 562 struct smack_mnt_opts *opts = *mnt_opts; 563 struct smack_known *skp; 564 565 if (!opts) { 566 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 567 if (!opts) 568 return -ENOMEM; 569 *mnt_opts = opts; 570 } 571 if (!s) 572 return -ENOMEM; 573 574 skp = smk_import_entry(s, 0); 575 if (IS_ERR(skp)) 576 return PTR_ERR(skp); 577 578 switch (token) { 579 case Opt_fsdefault: 580 if (opts->fsdefault) 581 goto out_opt_err; 582 opts->fsdefault = skp->smk_known; 583 break; 584 case Opt_fsfloor: 585 if (opts->fsfloor) 586 goto out_opt_err; 587 opts->fsfloor = skp->smk_known; 588 break; 589 case Opt_fshat: 590 if (opts->fshat) 591 goto out_opt_err; 592 opts->fshat = skp->smk_known; 593 break; 594 case Opt_fsroot: 595 if (opts->fsroot) 596 goto out_opt_err; 597 opts->fsroot = skp->smk_known; 598 break; 599 case Opt_fstransmute: 600 if (opts->fstransmute) 601 goto out_opt_err; 602 opts->fstransmute = skp->smk_known; 603 break; 604 } 605 return 0; 606 607 out_opt_err: 608 pr_warn("Smack: duplicate mount options\n"); 609 return -EINVAL; 610 } 611 612 /** 613 * smack_fs_context_submount - Initialise security data for a filesystem context 614 * @fc: The filesystem context. 615 * @reference: reference superblock 616 * 617 * Returns 0 on success or -ENOMEM on error. 618 */ 619 static int smack_fs_context_submount(struct fs_context *fc, 620 struct super_block *reference) 621 { 622 struct superblock_smack *sbsp; 623 struct smack_mnt_opts *ctx; 624 struct inode_smack *isp; 625 626 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 627 if (!ctx) 628 return -ENOMEM; 629 fc->security = ctx; 630 631 sbsp = smack_superblock(reference); 632 isp = smack_inode(reference->s_root->d_inode); 633 634 if (sbsp->smk_default) { 635 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 636 if (!ctx->fsdefault) 637 return -ENOMEM; 638 } 639 640 if (sbsp->smk_floor) { 641 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 642 if (!ctx->fsfloor) 643 return -ENOMEM; 644 } 645 646 if (sbsp->smk_hat) { 647 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 648 if (!ctx->fshat) 649 return -ENOMEM; 650 } 651 652 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 653 if (sbsp->smk_root) { 654 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 655 if (!ctx->fstransmute) 656 return -ENOMEM; 657 } 658 } 659 return 0; 660 } 661 662 /** 663 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 664 * @fc: The new filesystem context. 665 * @src_fc: The source filesystem context being duplicated. 666 * 667 * Returns 0 on success or -ENOMEM on error. 668 */ 669 static int smack_fs_context_dup(struct fs_context *fc, 670 struct fs_context *src_fc) 671 { 672 struct smack_mnt_opts *dst, *src = src_fc->security; 673 674 if (!src) 675 return 0; 676 677 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 678 if (!fc->security) 679 return -ENOMEM; 680 681 dst = fc->security; 682 dst->fsdefault = src->fsdefault; 683 dst->fsfloor = src->fsfloor; 684 dst->fshat = src->fshat; 685 dst->fsroot = src->fsroot; 686 dst->fstransmute = src->fstransmute; 687 688 return 0; 689 } 690 691 static const struct fs_parameter_spec smack_fs_parameters[] = { 692 fsparam_string("smackfsdef", Opt_fsdefault), 693 fsparam_string("smackfsdefault", Opt_fsdefault), 694 fsparam_string("smackfsfloor", Opt_fsfloor), 695 fsparam_string("smackfshat", Opt_fshat), 696 fsparam_string("smackfsroot", Opt_fsroot), 697 fsparam_string("smackfstransmute", Opt_fstransmute), 698 {} 699 }; 700 701 /** 702 * smack_fs_context_parse_param - Parse a single mount parameter 703 * @fc: The new filesystem context being constructed. 704 * @param: The parameter. 705 * 706 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 707 * error. 708 */ 709 static int smack_fs_context_parse_param(struct fs_context *fc, 710 struct fs_parameter *param) 711 { 712 struct fs_parse_result result; 713 int opt, rc; 714 715 opt = fs_parse(fc, smack_fs_parameters, param, &result); 716 if (opt < 0) 717 return opt; 718 719 rc = smack_add_opt(opt, param->string, &fc->security); 720 if (!rc) 721 param->string = NULL; 722 return rc; 723 } 724 725 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 726 { 727 char *from = options, *to = options; 728 bool first = true; 729 730 while (1) { 731 char *next = strchr(from, ','); 732 int token, len, rc; 733 char *arg = NULL; 734 735 if (next) 736 len = next - from; 737 else 738 len = strlen(from); 739 740 token = match_opt_prefix(from, len, &arg); 741 if (token != Opt_error) { 742 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 743 rc = smack_add_opt(token, arg, mnt_opts); 744 kfree(arg); 745 if (unlikely(rc)) { 746 if (*mnt_opts) 747 smack_free_mnt_opts(*mnt_opts); 748 *mnt_opts = NULL; 749 return rc; 750 } 751 } else { 752 if (!first) { // copy with preceding comma 753 from--; 754 len++; 755 } 756 if (to != from) 757 memmove(to, from, len); 758 to += len; 759 first = false; 760 } 761 if (!from[len]) 762 break; 763 from += len + 1; 764 } 765 *to = '\0'; 766 return 0; 767 } 768 769 /** 770 * smack_set_mnt_opts - set Smack specific mount options 771 * @sb: the file system superblock 772 * @mnt_opts: Smack mount options 773 * @kern_flags: mount option from kernel space or user space 774 * @set_kern_flags: where to store converted mount opts 775 * 776 * Returns 0 on success, an error code on failure 777 * 778 * Allow filesystems with binary mount data to explicitly set Smack mount 779 * labels. 780 */ 781 static int smack_set_mnt_opts(struct super_block *sb, 782 void *mnt_opts, 783 unsigned long kern_flags, 784 unsigned long *set_kern_flags) 785 { 786 struct dentry *root = sb->s_root; 787 struct inode *inode = d_backing_inode(root); 788 struct superblock_smack *sp = smack_superblock(sb); 789 struct inode_smack *isp; 790 struct smack_known *skp; 791 struct smack_mnt_opts *opts = mnt_opts; 792 bool transmute = false; 793 794 if (sp->smk_flags & SMK_SB_INITIALIZED) 795 return 0; 796 797 if (!smack_privileged(CAP_MAC_ADMIN)) { 798 /* 799 * Unprivileged mounts don't get to specify Smack values. 800 */ 801 if (opts) 802 return -EPERM; 803 /* 804 * Unprivileged mounts get root and default from the caller. 805 */ 806 skp = smk_of_current(); 807 sp->smk_root = skp; 808 sp->smk_default = skp; 809 /* 810 * For a handful of fs types with no user-controlled 811 * backing store it's okay to trust security labels 812 * in the filesystem. The rest are untrusted. 813 */ 814 if (sb->s_user_ns != &init_user_ns && 815 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 816 sb->s_magic != RAMFS_MAGIC) { 817 transmute = true; 818 sp->smk_flags |= SMK_SB_UNTRUSTED; 819 } 820 } 821 822 sp->smk_flags |= SMK_SB_INITIALIZED; 823 824 if (opts) { 825 if (opts->fsdefault) { 826 skp = smk_import_entry(opts->fsdefault, 0); 827 if (IS_ERR(skp)) 828 return PTR_ERR(skp); 829 sp->smk_default = skp; 830 } 831 if (opts->fsfloor) { 832 skp = smk_import_entry(opts->fsfloor, 0); 833 if (IS_ERR(skp)) 834 return PTR_ERR(skp); 835 sp->smk_floor = skp; 836 } 837 if (opts->fshat) { 838 skp = smk_import_entry(opts->fshat, 0); 839 if (IS_ERR(skp)) 840 return PTR_ERR(skp); 841 sp->smk_hat = skp; 842 } 843 if (opts->fsroot) { 844 skp = smk_import_entry(opts->fsroot, 0); 845 if (IS_ERR(skp)) 846 return PTR_ERR(skp); 847 sp->smk_root = skp; 848 } 849 if (opts->fstransmute) { 850 skp = smk_import_entry(opts->fstransmute, 0); 851 if (IS_ERR(skp)) 852 return PTR_ERR(skp); 853 sp->smk_root = skp; 854 transmute = true; 855 } 856 } 857 858 /* 859 * Initialize the root inode. 860 */ 861 init_inode_smack(inode, sp->smk_root); 862 863 if (transmute) { 864 isp = smack_inode(inode); 865 isp->smk_flags |= SMK_INODE_TRANSMUTE; 866 } 867 868 return 0; 869 } 870 871 /** 872 * smack_sb_statfs - Smack check on statfs 873 * @dentry: identifies the file system in question 874 * 875 * Returns 0 if current can read the floor of the filesystem, 876 * and error code otherwise 877 */ 878 static int smack_sb_statfs(struct dentry *dentry) 879 { 880 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 881 int rc; 882 struct smk_audit_info ad; 883 884 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 885 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 886 887 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 888 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 889 return rc; 890 } 891 892 /* 893 * BPRM hooks 894 */ 895 896 /** 897 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 898 * @bprm: the exec information 899 * 900 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 901 */ 902 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 903 { 904 struct inode *inode = file_inode(bprm->file); 905 struct task_smack *bsp = smack_cred(bprm->cred); 906 struct inode_smack *isp; 907 struct superblock_smack *sbsp; 908 int rc; 909 910 isp = smack_inode(inode); 911 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 912 return 0; 913 914 sbsp = smack_superblock(inode->i_sb); 915 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 916 isp->smk_task != sbsp->smk_root) 917 return 0; 918 919 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 920 struct task_struct *tracer; 921 rc = 0; 922 923 rcu_read_lock(); 924 tracer = ptrace_parent(current); 925 if (likely(tracer != NULL)) 926 rc = smk_ptrace_rule_check(tracer, 927 isp->smk_task, 928 PTRACE_MODE_ATTACH, 929 __func__); 930 rcu_read_unlock(); 931 932 if (rc != 0) 933 return rc; 934 } 935 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 936 return -EPERM; 937 938 bsp->smk_task = isp->smk_task; 939 bprm->per_clear |= PER_CLEAR_ON_SETID; 940 941 /* Decide if this is a secure exec. */ 942 if (bsp->smk_task != bsp->smk_forked) 943 bprm->secureexec = 1; 944 945 return 0; 946 } 947 948 /* 949 * Inode hooks 950 */ 951 952 /** 953 * smack_inode_alloc_security - allocate an inode blob 954 * @inode: the inode in need of a blob 955 * 956 * Returns 0 957 */ 958 static int smack_inode_alloc_security(struct inode *inode) 959 { 960 struct smack_known *skp = smk_of_current(); 961 962 init_inode_smack(inode, skp); 963 return 0; 964 } 965 966 /** 967 * smack_inode_init_security - copy out the smack from an inode 968 * @inode: the newly created inode 969 * @dir: containing directory object 970 * @qstr: unused 971 * @xattrs: where to put the attributes 972 * @xattr_count: current number of LSM-provided xattrs (updated) 973 * 974 * Returns 0 if it all works out, -ENOMEM if there's no memory 975 */ 976 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 977 const struct qstr *qstr, 978 struct xattr *xattrs, int *xattr_count) 979 { 980 struct task_smack *tsp = smack_cred(current_cred()); 981 struct inode_smack *issp = smack_inode(inode); 982 struct smack_known *skp = smk_of_task(tsp); 983 struct smack_known *isp = smk_of_inode(inode); 984 struct smack_known *dsp = smk_of_inode(dir); 985 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 986 int may; 987 988 /* 989 * If equal, transmuting already occurred in 990 * smack_dentry_create_files_as(). No need to check again. 991 */ 992 if (tsp->smk_task != tsp->smk_transmuted) { 993 rcu_read_lock(); 994 may = smk_access_entry(skp->smk_known, dsp->smk_known, 995 &skp->smk_rules); 996 rcu_read_unlock(); 997 } 998 999 /* 1000 * In addition to having smk_task equal to smk_transmuted, 1001 * if the access rule allows transmutation and the directory 1002 * requests transmutation then by all means transmute. 1003 * Mark the inode as changed. 1004 */ 1005 if ((tsp->smk_task == tsp->smk_transmuted) || 1006 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1007 smk_inode_transmutable(dir))) { 1008 struct xattr *xattr_transmute; 1009 1010 /* 1011 * The caller of smack_dentry_create_files_as() 1012 * should have overridden the current cred, so the 1013 * inode label was already set correctly in 1014 * smack_inode_alloc_security(). 1015 */ 1016 if (tsp->smk_task != tsp->smk_transmuted) 1017 isp = issp->smk_inode = dsp; 1018 1019 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1020 xattr_transmute = lsm_get_xattr_slot(xattrs, 1021 xattr_count); 1022 if (xattr_transmute) { 1023 xattr_transmute->value = kmemdup(TRANS_TRUE, 1024 TRANS_TRUE_SIZE, 1025 GFP_NOFS); 1026 if (!xattr_transmute->value) 1027 return -ENOMEM; 1028 1029 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1030 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1031 } 1032 } 1033 1034 issp->smk_flags |= SMK_INODE_INSTANT; 1035 1036 if (xattr) { 1037 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1038 if (!xattr->value) 1039 return -ENOMEM; 1040 1041 xattr->value_len = strlen(isp->smk_known); 1042 xattr->name = XATTR_SMACK_SUFFIX; 1043 } 1044 1045 return 0; 1046 } 1047 1048 /** 1049 * smack_inode_link - Smack check on link 1050 * @old_dentry: the existing object 1051 * @dir: unused 1052 * @new_dentry: the new object 1053 * 1054 * Returns 0 if access is permitted, an error code otherwise 1055 */ 1056 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1057 struct dentry *new_dentry) 1058 { 1059 struct smack_known *isp; 1060 struct smk_audit_info ad; 1061 int rc; 1062 1063 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1064 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1065 1066 isp = smk_of_inode(d_backing_inode(old_dentry)); 1067 rc = smk_curacc(isp, MAY_WRITE, &ad); 1068 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1069 1070 if (rc == 0 && d_is_positive(new_dentry)) { 1071 isp = smk_of_inode(d_backing_inode(new_dentry)); 1072 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1073 rc = smk_curacc(isp, MAY_WRITE, &ad); 1074 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1075 } 1076 1077 return rc; 1078 } 1079 1080 /** 1081 * smack_inode_unlink - Smack check on inode deletion 1082 * @dir: containing directory object 1083 * @dentry: file to unlink 1084 * 1085 * Returns 0 if current can write the containing directory 1086 * and the object, error code otherwise 1087 */ 1088 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1089 { 1090 struct inode *ip = d_backing_inode(dentry); 1091 struct smk_audit_info ad; 1092 int rc; 1093 1094 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1095 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1096 1097 /* 1098 * You need write access to the thing you're unlinking 1099 */ 1100 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1101 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1102 if (rc == 0) { 1103 /* 1104 * You also need write access to the containing directory 1105 */ 1106 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1107 smk_ad_setfield_u_fs_inode(&ad, dir); 1108 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1109 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1110 } 1111 return rc; 1112 } 1113 1114 /** 1115 * smack_inode_rmdir - Smack check on directory deletion 1116 * @dir: containing directory object 1117 * @dentry: directory to unlink 1118 * 1119 * Returns 0 if current can write the containing directory 1120 * and the directory, error code otherwise 1121 */ 1122 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1123 { 1124 struct smk_audit_info ad; 1125 int rc; 1126 1127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1128 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1129 1130 /* 1131 * You need write access to the thing you're removing 1132 */ 1133 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1134 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1135 if (rc == 0) { 1136 /* 1137 * You also need write access to the containing directory 1138 */ 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1140 smk_ad_setfield_u_fs_inode(&ad, dir); 1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1143 } 1144 1145 return rc; 1146 } 1147 1148 /** 1149 * smack_inode_rename - Smack check on rename 1150 * @old_inode: unused 1151 * @old_dentry: the old object 1152 * @new_inode: unused 1153 * @new_dentry: the new object 1154 * 1155 * Read and write access is required on both the old and 1156 * new directories. 1157 * 1158 * Returns 0 if access is permitted, an error code otherwise 1159 */ 1160 static int smack_inode_rename(struct inode *old_inode, 1161 struct dentry *old_dentry, 1162 struct inode *new_inode, 1163 struct dentry *new_dentry) 1164 { 1165 int rc; 1166 struct smack_known *isp; 1167 struct smk_audit_info ad; 1168 1169 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1170 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1171 1172 isp = smk_of_inode(d_backing_inode(old_dentry)); 1173 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1174 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1175 1176 if (rc == 0 && d_is_positive(new_dentry)) { 1177 isp = smk_of_inode(d_backing_inode(new_dentry)); 1178 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1179 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1180 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1181 } 1182 return rc; 1183 } 1184 1185 /** 1186 * smack_inode_permission - Smack version of permission() 1187 * @inode: the inode in question 1188 * @mask: the access requested 1189 * 1190 * This is the important Smack hook. 1191 * 1192 * Returns 0 if access is permitted, an error code otherwise 1193 */ 1194 static int smack_inode_permission(struct inode *inode, int mask) 1195 { 1196 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1197 struct smk_audit_info ad; 1198 int no_block = mask & MAY_NOT_BLOCK; 1199 int rc; 1200 1201 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1202 /* 1203 * No permission to check. Existence test. Yup, it's there. 1204 */ 1205 if (mask == 0) 1206 return 0; 1207 1208 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1209 if (smk_of_inode(inode) != sbsp->smk_root) 1210 return -EACCES; 1211 } 1212 1213 /* May be droppable after audit */ 1214 if (no_block) 1215 return -ECHILD; 1216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1217 smk_ad_setfield_u_fs_inode(&ad, inode); 1218 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1219 rc = smk_bu_inode(inode, mask, rc); 1220 return rc; 1221 } 1222 1223 /** 1224 * smack_inode_setattr - Smack check for setting attributes 1225 * @idmap: idmap of the mount 1226 * @dentry: the object 1227 * @iattr: for the force flag 1228 * 1229 * Returns 0 if access is permitted, an error code otherwise 1230 */ 1231 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1232 struct iattr *iattr) 1233 { 1234 struct smk_audit_info ad; 1235 int rc; 1236 1237 /* 1238 * Need to allow for clearing the setuid bit. 1239 */ 1240 if (iattr->ia_valid & ATTR_FORCE) 1241 return 0; 1242 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1243 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1244 1245 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1246 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1247 return rc; 1248 } 1249 1250 /** 1251 * smack_inode_getattr - Smack check for getting attributes 1252 * @path: path to extract the info from 1253 * 1254 * Returns 0 if access is permitted, an error code otherwise 1255 */ 1256 static int smack_inode_getattr(const struct path *path) 1257 { 1258 struct smk_audit_info ad; 1259 struct inode *inode = d_backing_inode(path->dentry); 1260 int rc; 1261 1262 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1263 smk_ad_setfield_u_fs_path(&ad, *path); 1264 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1265 rc = smk_bu_inode(inode, MAY_READ, rc); 1266 return rc; 1267 } 1268 1269 /** 1270 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1271 * @name: name of the xattr 1272 * 1273 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1274 * named @name; the LSM layer should avoid enforcing any traditional 1275 * capability based access controls on this xattr. Returns 0 to indicate that 1276 * Smack does not "own" the access control rights to xattrs named @name and is 1277 * deferring to the LSM layer for further access controls, including capability 1278 * based controls. 1279 */ 1280 static int smack_inode_xattr_skipcap(const char *name) 1281 { 1282 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1283 return 0; 1284 1285 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1286 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1287 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1288 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1289 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1290 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1291 return 1; 1292 1293 return 0; 1294 } 1295 1296 /** 1297 * smack_inode_setxattr - Smack check for setting xattrs 1298 * @idmap: idmap of the mount 1299 * @dentry: the object 1300 * @name: name of the attribute 1301 * @value: value of the attribute 1302 * @size: size of the value 1303 * @flags: unused 1304 * 1305 * This protects the Smack attribute explicitly. 1306 * 1307 * Returns 0 if access is permitted, an error code otherwise 1308 */ 1309 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1310 struct dentry *dentry, const char *name, 1311 const void *value, size_t size, int flags) 1312 { 1313 struct smk_audit_info ad; 1314 struct smack_known *skp; 1315 int check_priv = 0; 1316 int check_import = 0; 1317 int check_star = 0; 1318 int rc = 0; 1319 1320 /* 1321 * Check label validity here so import won't fail in post_setxattr 1322 */ 1323 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1324 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1325 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1326 check_priv = 1; 1327 check_import = 1; 1328 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1329 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1330 check_priv = 1; 1331 check_import = 1; 1332 check_star = 1; 1333 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1334 check_priv = 1; 1335 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1336 size != TRANS_TRUE_SIZE || 1337 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1338 rc = -EINVAL; 1339 } 1340 1341 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1342 rc = -EPERM; 1343 1344 if (rc == 0 && check_import) { 1345 skp = size ? smk_import_entry(value, size) : NULL; 1346 if (IS_ERR(skp)) 1347 rc = PTR_ERR(skp); 1348 else if (skp == NULL || (check_star && 1349 (skp == &smack_known_star || skp == &smack_known_web))) 1350 rc = -EINVAL; 1351 } 1352 1353 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1354 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1355 1356 if (rc == 0) { 1357 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1358 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1359 } 1360 1361 return rc; 1362 } 1363 1364 /** 1365 * smack_inode_post_setxattr - Apply the Smack update approved above 1366 * @dentry: object 1367 * @name: attribute name 1368 * @value: attribute value 1369 * @size: attribute size 1370 * @flags: unused 1371 * 1372 * Set the pointer in the inode blob to the entry found 1373 * in the master label list. 1374 */ 1375 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1376 const void *value, size_t size, int flags) 1377 { 1378 struct smack_known *skp; 1379 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1380 1381 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1382 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1383 return; 1384 } 1385 1386 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1387 skp = smk_import_entry(value, size); 1388 if (!IS_ERR(skp)) 1389 isp->smk_inode = skp; 1390 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1391 skp = smk_import_entry(value, size); 1392 if (!IS_ERR(skp)) 1393 isp->smk_task = skp; 1394 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1395 skp = smk_import_entry(value, size); 1396 if (!IS_ERR(skp)) 1397 isp->smk_mmap = skp; 1398 } 1399 1400 return; 1401 } 1402 1403 /** 1404 * smack_inode_getxattr - Smack check on getxattr 1405 * @dentry: the object 1406 * @name: unused 1407 * 1408 * Returns 0 if access is permitted, an error code otherwise 1409 */ 1410 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1411 { 1412 struct smk_audit_info ad; 1413 int rc; 1414 1415 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1416 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1417 1418 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1419 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1420 return rc; 1421 } 1422 1423 /** 1424 * smack_inode_removexattr - Smack check on removexattr 1425 * @idmap: idmap of the mount 1426 * @dentry: the object 1427 * @name: name of the attribute 1428 * 1429 * Removing the Smack attribute requires CAP_MAC_ADMIN 1430 * 1431 * Returns 0 if access is permitted, an error code otherwise 1432 */ 1433 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1434 struct dentry *dentry, const char *name) 1435 { 1436 struct inode_smack *isp; 1437 struct smk_audit_info ad; 1438 int rc = 0; 1439 1440 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1441 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1442 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1443 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1444 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1445 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1446 if (!smack_privileged(CAP_MAC_ADMIN)) 1447 rc = -EPERM; 1448 } 1449 1450 if (rc != 0) 1451 return rc; 1452 1453 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1454 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1455 1456 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1457 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1458 if (rc != 0) 1459 return rc; 1460 1461 isp = smack_inode(d_backing_inode(dentry)); 1462 /* 1463 * Don't do anything special for these. 1464 * XATTR_NAME_SMACKIPIN 1465 * XATTR_NAME_SMACKIPOUT 1466 */ 1467 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1468 struct super_block *sbp = dentry->d_sb; 1469 struct superblock_smack *sbsp = smack_superblock(sbp); 1470 1471 isp->smk_inode = sbsp->smk_default; 1472 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1473 isp->smk_task = NULL; 1474 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1475 isp->smk_mmap = NULL; 1476 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1477 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1478 1479 return 0; 1480 } 1481 1482 /** 1483 * smack_inode_set_acl - Smack check for setting posix acls 1484 * @idmap: idmap of the mnt this request came from 1485 * @dentry: the object 1486 * @acl_name: name of the posix acl 1487 * @kacl: the posix acls 1488 * 1489 * Returns 0 if access is permitted, an error code otherwise 1490 */ 1491 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1492 struct dentry *dentry, const char *acl_name, 1493 struct posix_acl *kacl) 1494 { 1495 struct smk_audit_info ad; 1496 int rc; 1497 1498 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1499 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1500 1501 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1502 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1503 return rc; 1504 } 1505 1506 /** 1507 * smack_inode_get_acl - Smack check for getting posix acls 1508 * @idmap: idmap of the mnt this request came from 1509 * @dentry: the object 1510 * @acl_name: name of the posix acl 1511 * 1512 * Returns 0 if access is permitted, an error code otherwise 1513 */ 1514 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1515 struct dentry *dentry, const char *acl_name) 1516 { 1517 struct smk_audit_info ad; 1518 int rc; 1519 1520 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1521 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1522 1523 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1524 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1525 return rc; 1526 } 1527 1528 /** 1529 * smack_inode_remove_acl - Smack check for getting posix acls 1530 * @idmap: idmap of the mnt this request came from 1531 * @dentry: the object 1532 * @acl_name: name of the posix acl 1533 * 1534 * Returns 0 if access is permitted, an error code otherwise 1535 */ 1536 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1537 struct dentry *dentry, const char *acl_name) 1538 { 1539 struct smk_audit_info ad; 1540 int rc; 1541 1542 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1543 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1544 1545 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1546 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1547 return rc; 1548 } 1549 1550 /** 1551 * smack_inode_getsecurity - get smack xattrs 1552 * @idmap: idmap of the mount 1553 * @inode: the object 1554 * @name: attribute name 1555 * @buffer: where to put the result 1556 * @alloc: duplicate memory 1557 * 1558 * Returns the size of the attribute or an error code 1559 */ 1560 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1561 struct inode *inode, const char *name, 1562 void **buffer, bool alloc) 1563 { 1564 struct socket_smack *ssp; 1565 struct socket *sock; 1566 struct super_block *sbp; 1567 struct inode *ip = inode; 1568 struct smack_known *isp; 1569 struct inode_smack *ispp; 1570 size_t label_len; 1571 char *label = NULL; 1572 1573 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1574 isp = smk_of_inode(inode); 1575 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1576 ispp = smack_inode(inode); 1577 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1578 label = TRANS_TRUE; 1579 else 1580 label = ""; 1581 } else { 1582 /* 1583 * The rest of the Smack xattrs are only on sockets. 1584 */ 1585 sbp = ip->i_sb; 1586 if (sbp->s_magic != SOCKFS_MAGIC) 1587 return -EOPNOTSUPP; 1588 1589 sock = SOCKET_I(ip); 1590 if (sock == NULL || sock->sk == NULL) 1591 return -EOPNOTSUPP; 1592 1593 ssp = smack_sock(sock->sk); 1594 1595 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1596 isp = ssp->smk_in; 1597 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1598 isp = ssp->smk_out; 1599 else 1600 return -EOPNOTSUPP; 1601 } 1602 1603 if (!label) 1604 label = isp->smk_known; 1605 1606 label_len = strlen(label); 1607 1608 if (alloc) { 1609 *buffer = kstrdup(label, GFP_KERNEL); 1610 if (*buffer == NULL) 1611 return -ENOMEM; 1612 } 1613 1614 return label_len; 1615 } 1616 1617 1618 /** 1619 * smack_inode_listsecurity - list the Smack attributes 1620 * @inode: the object 1621 * @buffer: where they go 1622 * @buffer_size: size of buffer 1623 */ 1624 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1625 size_t buffer_size) 1626 { 1627 int len = sizeof(XATTR_NAME_SMACK); 1628 1629 if (buffer != NULL && len <= buffer_size) 1630 memcpy(buffer, XATTR_NAME_SMACK, len); 1631 1632 return len; 1633 } 1634 1635 /** 1636 * smack_inode_getlsmprop - Extract inode's security id 1637 * @inode: inode to extract the info from 1638 * @prop: where result will be saved 1639 */ 1640 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1641 { 1642 prop->smack.skp = smk_of_inode(inode); 1643 } 1644 1645 /* 1646 * File Hooks 1647 */ 1648 1649 /* 1650 * There is no smack_file_permission hook 1651 * 1652 * Should access checks be done on each read or write? 1653 * UNICOS and SELinux say yes. 1654 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1655 * 1656 * I'll say no for now. Smack does not do the frequent 1657 * label changing that SELinux does. 1658 */ 1659 1660 /** 1661 * smack_file_alloc_security - assign a file security blob 1662 * @file: the object 1663 * 1664 * The security blob for a file is a pointer to the master 1665 * label list, so no allocation is done. 1666 * 1667 * f_security is the owner security information. It 1668 * isn't used on file access checks, it's for send_sigio. 1669 * 1670 * Returns 0 1671 */ 1672 static int smack_file_alloc_security(struct file *file) 1673 { 1674 struct smack_known **blob = smack_file(file); 1675 1676 *blob = smk_of_current(); 1677 return 0; 1678 } 1679 1680 /** 1681 * smack_file_ioctl - Smack check on ioctls 1682 * @file: the object 1683 * @cmd: what to do 1684 * @arg: unused 1685 * 1686 * Relies heavily on the correct use of the ioctl command conventions. 1687 * 1688 * Returns 0 if allowed, error code otherwise 1689 */ 1690 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1691 unsigned long arg) 1692 { 1693 int rc = 0; 1694 struct smk_audit_info ad; 1695 struct inode *inode = file_inode(file); 1696 1697 if (unlikely(IS_PRIVATE(inode))) 1698 return 0; 1699 1700 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1701 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1702 1703 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1704 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1705 rc = smk_bu_file(file, MAY_WRITE, rc); 1706 } 1707 1708 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1709 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1710 rc = smk_bu_file(file, MAY_READ, rc); 1711 } 1712 1713 return rc; 1714 } 1715 1716 /** 1717 * smack_file_lock - Smack check on file locking 1718 * @file: the object 1719 * @cmd: unused 1720 * 1721 * Returns 0 if current has lock access, error code otherwise 1722 */ 1723 static int smack_file_lock(struct file *file, unsigned int cmd) 1724 { 1725 struct smk_audit_info ad; 1726 int rc; 1727 struct inode *inode = file_inode(file); 1728 1729 if (unlikely(IS_PRIVATE(inode))) 1730 return 0; 1731 1732 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1733 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1734 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1735 rc = smk_bu_file(file, MAY_LOCK, rc); 1736 return rc; 1737 } 1738 1739 /** 1740 * smack_file_fcntl - Smack check on fcntl 1741 * @file: the object 1742 * @cmd: what action to check 1743 * @arg: unused 1744 * 1745 * Generally these operations are harmless. 1746 * File locking operations present an obvious mechanism 1747 * for passing information, so they require write access. 1748 * 1749 * Returns 0 if current has access, error code otherwise 1750 */ 1751 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1752 unsigned long arg) 1753 { 1754 struct smk_audit_info ad; 1755 int rc = 0; 1756 struct inode *inode = file_inode(file); 1757 1758 if (unlikely(IS_PRIVATE(inode))) 1759 return 0; 1760 1761 switch (cmd) { 1762 case F_GETLK: 1763 break; 1764 case F_SETLK: 1765 case F_SETLKW: 1766 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1767 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1768 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1769 rc = smk_bu_file(file, MAY_LOCK, rc); 1770 break; 1771 case F_SETOWN: 1772 case F_SETSIG: 1773 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1774 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1775 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1776 rc = smk_bu_file(file, MAY_WRITE, rc); 1777 break; 1778 default: 1779 break; 1780 } 1781 1782 return rc; 1783 } 1784 1785 /** 1786 * smack_mmap_file - Check permissions for a mmap operation. 1787 * @file: contains the file structure for file to map (may be NULL). 1788 * @reqprot: contains the protection requested by the application. 1789 * @prot: contains the protection that will be applied by the kernel. 1790 * @flags: contains the operational flags. 1791 * 1792 * The @file may be NULL, e.g. if mapping anonymous memory. 1793 * 1794 * Return 0 if permission is granted. 1795 */ 1796 static int smack_mmap_file(struct file *file, 1797 unsigned long reqprot, unsigned long prot, 1798 unsigned long flags) 1799 { 1800 struct smack_known *skp; 1801 struct smack_known *mkp; 1802 struct smack_rule *srp; 1803 struct task_smack *tsp; 1804 struct smack_known *okp; 1805 struct inode_smack *isp; 1806 struct superblock_smack *sbsp; 1807 int may; 1808 int mmay; 1809 int tmay; 1810 int rc; 1811 1812 if (file == NULL) 1813 return 0; 1814 1815 if (unlikely(IS_PRIVATE(file_inode(file)))) 1816 return 0; 1817 1818 isp = smack_inode(file_inode(file)); 1819 if (isp->smk_mmap == NULL) 1820 return 0; 1821 sbsp = smack_superblock(file_inode(file)->i_sb); 1822 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1823 isp->smk_mmap != sbsp->smk_root) 1824 return -EACCES; 1825 mkp = isp->smk_mmap; 1826 1827 tsp = smack_cred(current_cred()); 1828 skp = smk_of_current(); 1829 rc = 0; 1830 1831 rcu_read_lock(); 1832 /* 1833 * For each Smack rule associated with the subject 1834 * label verify that the SMACK64MMAP also has access 1835 * to that rule's object label. 1836 */ 1837 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1838 okp = srp->smk_object; 1839 /* 1840 * Matching labels always allows access. 1841 */ 1842 if (mkp->smk_known == okp->smk_known) 1843 continue; 1844 /* 1845 * If there is a matching local rule take 1846 * that into account as well. 1847 */ 1848 may = smk_access_entry(srp->smk_subject->smk_known, 1849 okp->smk_known, 1850 &tsp->smk_rules); 1851 if (may == -ENOENT) 1852 may = srp->smk_access; 1853 else 1854 may &= srp->smk_access; 1855 /* 1856 * If may is zero the SMACK64MMAP subject can't 1857 * possibly have less access. 1858 */ 1859 if (may == 0) 1860 continue; 1861 1862 /* 1863 * Fetch the global list entry. 1864 * If there isn't one a SMACK64MMAP subject 1865 * can't have as much access as current. 1866 */ 1867 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1868 &mkp->smk_rules); 1869 if (mmay == -ENOENT) { 1870 rc = -EACCES; 1871 break; 1872 } 1873 /* 1874 * If there is a local entry it modifies the 1875 * potential access, too. 1876 */ 1877 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1878 &tsp->smk_rules); 1879 if (tmay != -ENOENT) 1880 mmay &= tmay; 1881 1882 /* 1883 * If there is any access available to current that is 1884 * not available to a SMACK64MMAP subject 1885 * deny access. 1886 */ 1887 if ((may | mmay) != mmay) { 1888 rc = -EACCES; 1889 break; 1890 } 1891 } 1892 1893 rcu_read_unlock(); 1894 1895 return rc; 1896 } 1897 1898 /** 1899 * smack_file_set_fowner - set the file security blob value 1900 * @file: object in question 1901 * 1902 */ 1903 static void smack_file_set_fowner(struct file *file) 1904 { 1905 struct smack_known **blob = smack_file(file); 1906 1907 *blob = smk_of_current(); 1908 } 1909 1910 /** 1911 * smack_file_send_sigiotask - Smack on sigio 1912 * @tsk: The target task 1913 * @fown: the object the signal come from 1914 * @signum: unused 1915 * 1916 * Allow a privileged task to get signals even if it shouldn't 1917 * 1918 * Returns 0 if a subject with the object's smack could 1919 * write to the task, an error code otherwise. 1920 */ 1921 static int smack_file_send_sigiotask(struct task_struct *tsk, 1922 struct fown_struct *fown, int signum) 1923 { 1924 struct smack_known **blob; 1925 struct smack_known *skp; 1926 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1927 const struct cred *tcred; 1928 struct file *file; 1929 int rc; 1930 struct smk_audit_info ad; 1931 1932 /* 1933 * struct fown_struct is never outside the context of a struct file 1934 */ 1935 file = fown->file; 1936 1937 /* we don't log here as rc can be overridden */ 1938 blob = smack_file(file); 1939 skp = *blob; 1940 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1941 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1942 1943 rcu_read_lock(); 1944 tcred = __task_cred(tsk); 1945 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1946 rc = 0; 1947 rcu_read_unlock(); 1948 1949 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1950 smk_ad_setfield_u_tsk(&ad, tsk); 1951 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1952 return rc; 1953 } 1954 1955 /** 1956 * smack_file_receive - Smack file receive check 1957 * @file: the object 1958 * 1959 * Returns 0 if current has access, error code otherwise 1960 */ 1961 static int smack_file_receive(struct file *file) 1962 { 1963 int rc; 1964 int may = 0; 1965 struct smk_audit_info ad; 1966 struct inode *inode = file_inode(file); 1967 struct socket *sock; 1968 struct task_smack *tsp; 1969 struct socket_smack *ssp; 1970 1971 if (unlikely(IS_PRIVATE(inode))) 1972 return 0; 1973 1974 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1975 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1976 1977 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1978 sock = SOCKET_I(inode); 1979 ssp = smack_sock(sock->sk); 1980 tsp = smack_cred(current_cred()); 1981 /* 1982 * If the receiving process can't write to the 1983 * passed socket or if the passed socket can't 1984 * write to the receiving process don't accept 1985 * the passed socket. 1986 */ 1987 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1988 rc = smk_bu_file(file, may, rc); 1989 if (rc < 0) 1990 return rc; 1991 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1992 rc = smk_bu_file(file, may, rc); 1993 return rc; 1994 } 1995 /* 1996 * This code relies on bitmasks. 1997 */ 1998 if (file->f_mode & FMODE_READ) 1999 may = MAY_READ; 2000 if (file->f_mode & FMODE_WRITE) 2001 may |= MAY_WRITE; 2002 2003 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2004 rc = smk_bu_file(file, may, rc); 2005 return rc; 2006 } 2007 2008 /** 2009 * smack_file_open - Smack dentry open processing 2010 * @file: the object 2011 * 2012 * Set the security blob in the file structure. 2013 * Allow the open only if the task has read access. There are 2014 * many read operations (e.g. fstat) that you can do with an 2015 * fd even if you have the file open write-only. 2016 * 2017 * Returns 0 if current has access, error code otherwise 2018 */ 2019 static int smack_file_open(struct file *file) 2020 { 2021 struct task_smack *tsp = smack_cred(file->f_cred); 2022 struct inode *inode = file_inode(file); 2023 struct smk_audit_info ad; 2024 int rc; 2025 2026 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2027 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2028 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2029 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2030 2031 return rc; 2032 } 2033 2034 /* 2035 * Task hooks 2036 */ 2037 2038 /** 2039 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2040 * @cred: the new credentials 2041 * @gfp: the atomicity of any memory allocations 2042 * 2043 * Prepare a blank set of credentials for modification. This must allocate all 2044 * the memory the LSM module might require such that cred_transfer() can 2045 * complete without error. 2046 */ 2047 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2048 { 2049 init_task_smack(smack_cred(cred), NULL, NULL); 2050 return 0; 2051 } 2052 2053 2054 /** 2055 * smack_cred_free - "free" task-level security credentials 2056 * @cred: the credentials in question 2057 * 2058 */ 2059 static void smack_cred_free(struct cred *cred) 2060 { 2061 struct task_smack *tsp = smack_cred(cred); 2062 struct smack_rule *rp; 2063 struct list_head *l; 2064 struct list_head *n; 2065 2066 smk_destroy_label_list(&tsp->smk_relabel); 2067 2068 list_for_each_safe(l, n, &tsp->smk_rules) { 2069 rp = list_entry(l, struct smack_rule, list); 2070 list_del(&rp->list); 2071 kmem_cache_free(smack_rule_cache, rp); 2072 } 2073 } 2074 2075 /** 2076 * smack_cred_prepare - prepare new set of credentials for modification 2077 * @new: the new credentials 2078 * @old: the original credentials 2079 * @gfp: the atomicity of any memory allocations 2080 * 2081 * Prepare a new set of credentials for modification. 2082 */ 2083 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2084 gfp_t gfp) 2085 { 2086 struct task_smack *old_tsp = smack_cred(old); 2087 struct task_smack *new_tsp = smack_cred(new); 2088 int rc; 2089 2090 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2091 2092 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2093 if (rc != 0) 2094 return rc; 2095 2096 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2097 gfp); 2098 return rc; 2099 } 2100 2101 /** 2102 * smack_cred_transfer - Transfer the old credentials to the new credentials 2103 * @new: the new credentials 2104 * @old: the original credentials 2105 * 2106 * Fill in a set of blank credentials from another set of credentials. 2107 */ 2108 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2109 { 2110 struct task_smack *old_tsp = smack_cred(old); 2111 struct task_smack *new_tsp = smack_cred(new); 2112 2113 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2114 } 2115 2116 /** 2117 * smack_cred_getsecid - get the secid corresponding to a creds structure 2118 * @cred: the object creds 2119 * @secid: where to put the result 2120 * 2121 * Sets the secid to contain a u32 version of the smack label. 2122 */ 2123 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2124 { 2125 struct smack_known *skp; 2126 2127 rcu_read_lock(); 2128 skp = smk_of_task(smack_cred(cred)); 2129 *secid = skp->smk_secid; 2130 rcu_read_unlock(); 2131 } 2132 2133 /** 2134 * smack_cred_getlsmprop - get the Smack label for a creds structure 2135 * @cred: the object creds 2136 * @prop: where to put the data 2137 * 2138 * Sets the Smack part of the ref 2139 */ 2140 static void smack_cred_getlsmprop(const struct cred *cred, 2141 struct lsm_prop *prop) 2142 { 2143 rcu_read_lock(); 2144 prop->smack.skp = smk_of_task(smack_cred(cred)); 2145 rcu_read_unlock(); 2146 } 2147 2148 /** 2149 * smack_kernel_act_as - Set the subjective context in a set of credentials 2150 * @new: points to the set of credentials to be modified. 2151 * @secid: specifies the security ID to be set 2152 * 2153 * Set the security data for a kernel service. 2154 */ 2155 static int smack_kernel_act_as(struct cred *new, u32 secid) 2156 { 2157 struct task_smack *new_tsp = smack_cred(new); 2158 2159 new_tsp->smk_task = smack_from_secid(secid); 2160 return 0; 2161 } 2162 2163 /** 2164 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2165 * @new: points to the set of credentials to be modified 2166 * @inode: points to the inode to use as a reference 2167 * 2168 * Set the file creation context in a set of credentials to the same 2169 * as the objective context of the specified inode 2170 */ 2171 static int smack_kernel_create_files_as(struct cred *new, 2172 struct inode *inode) 2173 { 2174 struct inode_smack *isp = smack_inode(inode); 2175 struct task_smack *tsp = smack_cred(new); 2176 2177 tsp->smk_forked = isp->smk_inode; 2178 tsp->smk_task = tsp->smk_forked; 2179 return 0; 2180 } 2181 2182 /** 2183 * smk_curacc_on_task - helper to log task related access 2184 * @p: the task object 2185 * @access: the access requested 2186 * @caller: name of the calling function for audit 2187 * 2188 * Return 0 if access is permitted 2189 */ 2190 static int smk_curacc_on_task(struct task_struct *p, int access, 2191 const char *caller) 2192 { 2193 struct smk_audit_info ad; 2194 struct smack_known *skp = smk_of_task_struct_obj(p); 2195 int rc; 2196 2197 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2198 smk_ad_setfield_u_tsk(&ad, p); 2199 rc = smk_curacc(skp, access, &ad); 2200 rc = smk_bu_task(p, access, rc); 2201 return rc; 2202 } 2203 2204 /** 2205 * smack_task_setpgid - Smack check on setting pgid 2206 * @p: the task object 2207 * @pgid: unused 2208 * 2209 * Return 0 if write access is permitted 2210 */ 2211 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2212 { 2213 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2214 } 2215 2216 /** 2217 * smack_task_getpgid - Smack access check for getpgid 2218 * @p: the object task 2219 * 2220 * Returns 0 if current can read the object task, error code otherwise 2221 */ 2222 static int smack_task_getpgid(struct task_struct *p) 2223 { 2224 return smk_curacc_on_task(p, MAY_READ, __func__); 2225 } 2226 2227 /** 2228 * smack_task_getsid - Smack access check for getsid 2229 * @p: the object task 2230 * 2231 * Returns 0 if current can read the object task, error code otherwise 2232 */ 2233 static int smack_task_getsid(struct task_struct *p) 2234 { 2235 return smk_curacc_on_task(p, MAY_READ, __func__); 2236 } 2237 2238 /** 2239 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2240 * @prop: where to put the result 2241 * 2242 * Sets the secid to contain a u32 version of the task's subjective smack label. 2243 */ 2244 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2245 { 2246 prop->smack.skp = smk_of_current(); 2247 } 2248 2249 /** 2250 * smack_task_getlsmprop_obj - get the objective data of the task 2251 * @p: the task 2252 * @prop: where to put the result 2253 * 2254 * Sets the secid to contain a u32 version of the task's objective smack label. 2255 */ 2256 static void smack_task_getlsmprop_obj(struct task_struct *p, 2257 struct lsm_prop *prop) 2258 { 2259 prop->smack.skp = smk_of_task_struct_obj(p); 2260 } 2261 2262 /** 2263 * smack_task_setnice - Smack check on setting nice 2264 * @p: the task object 2265 * @nice: unused 2266 * 2267 * Return 0 if write access is permitted 2268 */ 2269 static int smack_task_setnice(struct task_struct *p, int nice) 2270 { 2271 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2272 } 2273 2274 /** 2275 * smack_task_setioprio - Smack check on setting ioprio 2276 * @p: the task object 2277 * @ioprio: unused 2278 * 2279 * Return 0 if write access is permitted 2280 */ 2281 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2282 { 2283 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2284 } 2285 2286 /** 2287 * smack_task_getioprio - Smack check on reading ioprio 2288 * @p: the task object 2289 * 2290 * Return 0 if read access is permitted 2291 */ 2292 static int smack_task_getioprio(struct task_struct *p) 2293 { 2294 return smk_curacc_on_task(p, MAY_READ, __func__); 2295 } 2296 2297 /** 2298 * smack_task_setscheduler - Smack check on setting scheduler 2299 * @p: the task object 2300 * 2301 * Return 0 if read access is permitted 2302 */ 2303 static int smack_task_setscheduler(struct task_struct *p) 2304 { 2305 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2306 } 2307 2308 /** 2309 * smack_task_getscheduler - Smack check on reading scheduler 2310 * @p: the task object 2311 * 2312 * Return 0 if read access is permitted 2313 */ 2314 static int smack_task_getscheduler(struct task_struct *p) 2315 { 2316 return smk_curacc_on_task(p, MAY_READ, __func__); 2317 } 2318 2319 /** 2320 * smack_task_movememory - Smack check on moving memory 2321 * @p: the task object 2322 * 2323 * Return 0 if write access is permitted 2324 */ 2325 static int smack_task_movememory(struct task_struct *p) 2326 { 2327 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2328 } 2329 2330 /** 2331 * smack_task_kill - Smack check on signal delivery 2332 * @p: the task object 2333 * @info: unused 2334 * @sig: unused 2335 * @cred: identifies the cred to use in lieu of current's 2336 * 2337 * Return 0 if write access is permitted 2338 * 2339 */ 2340 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2341 int sig, const struct cred *cred) 2342 { 2343 struct smk_audit_info ad; 2344 struct smack_known *skp; 2345 struct smack_known *tkp = smk_of_task_struct_obj(p); 2346 int rc; 2347 2348 if (!sig) 2349 return 0; /* null signal; existence test */ 2350 2351 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2352 smk_ad_setfield_u_tsk(&ad, p); 2353 /* 2354 * Sending a signal requires that the sender 2355 * can write the receiver. 2356 */ 2357 if (cred == NULL) { 2358 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2359 rc = smk_bu_task(p, MAY_DELIVER, rc); 2360 return rc; 2361 } 2362 /* 2363 * If the cred isn't NULL we're dealing with some USB IO 2364 * specific behavior. This is not clean. For one thing 2365 * we can't take privilege into account. 2366 */ 2367 skp = smk_of_task(smack_cred(cred)); 2368 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2369 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2370 return rc; 2371 } 2372 2373 /** 2374 * smack_task_to_inode - copy task smack into the inode blob 2375 * @p: task to copy from 2376 * @inode: inode to copy to 2377 * 2378 * Sets the smack pointer in the inode security blob 2379 */ 2380 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2381 { 2382 struct inode_smack *isp = smack_inode(inode); 2383 struct smack_known *skp = smk_of_task_struct_obj(p); 2384 2385 isp->smk_inode = skp; 2386 isp->smk_flags |= SMK_INODE_INSTANT; 2387 } 2388 2389 /* 2390 * Socket hooks. 2391 */ 2392 2393 /** 2394 * smack_sk_alloc_security - Allocate a socket blob 2395 * @sk: the socket 2396 * @family: unused 2397 * @gfp_flags: memory allocation flags 2398 * 2399 * Assign Smack pointers to current 2400 * 2401 * Returns 0 on success, -ENOMEM is there's no memory 2402 */ 2403 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2404 { 2405 struct smack_known *skp = smk_of_current(); 2406 struct socket_smack *ssp = smack_sock(sk); 2407 2408 /* 2409 * Sockets created by kernel threads receive web label. 2410 */ 2411 if (unlikely(current->flags & PF_KTHREAD)) { 2412 ssp->smk_in = &smack_known_web; 2413 ssp->smk_out = &smack_known_web; 2414 } else { 2415 ssp->smk_in = skp; 2416 ssp->smk_out = skp; 2417 } 2418 ssp->smk_packet = NULL; 2419 2420 return 0; 2421 } 2422 2423 #ifdef SMACK_IPV6_PORT_LABELING 2424 /** 2425 * smack_sk_free_security - Free a socket blob 2426 * @sk: the socket 2427 * 2428 * Clears the blob pointer 2429 */ 2430 static void smack_sk_free_security(struct sock *sk) 2431 { 2432 struct smk_port_label *spp; 2433 2434 if (sk->sk_family == PF_INET6) { 2435 rcu_read_lock(); 2436 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2437 if (spp->smk_sock != sk) 2438 continue; 2439 spp->smk_can_reuse = 1; 2440 break; 2441 } 2442 rcu_read_unlock(); 2443 } 2444 } 2445 #endif 2446 2447 /** 2448 * smack_sk_clone_security - Copy security context 2449 * @sk: the old socket 2450 * @newsk: the new socket 2451 * 2452 * Copy the security context of the old socket pointer to the cloned 2453 */ 2454 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2455 { 2456 struct socket_smack *ssp_old = smack_sock(sk); 2457 struct socket_smack *ssp_new = smack_sock(newsk); 2458 2459 *ssp_new = *ssp_old; 2460 } 2461 2462 /** 2463 * smack_ipv4host_label - check host based restrictions 2464 * @sip: the object end 2465 * 2466 * looks for host based access restrictions 2467 * 2468 * This version will only be appropriate for really small sets of single label 2469 * hosts. The caller is responsible for ensuring that the RCU read lock is 2470 * taken before calling this function. 2471 * 2472 * Returns the label of the far end or NULL if it's not special. 2473 */ 2474 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2475 { 2476 struct smk_net4addr *snp; 2477 struct in_addr *siap = &sip->sin_addr; 2478 2479 if (siap->s_addr == 0) 2480 return NULL; 2481 2482 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2483 /* 2484 * we break after finding the first match because 2485 * the list is sorted from longest to shortest mask 2486 * so we have found the most specific match 2487 */ 2488 if (snp->smk_host.s_addr == 2489 (siap->s_addr & snp->smk_mask.s_addr)) 2490 return snp->smk_label; 2491 2492 return NULL; 2493 } 2494 2495 #if IS_ENABLED(CONFIG_IPV6) 2496 /* 2497 * smk_ipv6_localhost - Check for local ipv6 host address 2498 * @sip: the address 2499 * 2500 * Returns boolean true if this is the localhost address 2501 */ 2502 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2503 { 2504 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2505 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2506 2507 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2508 ntohs(be16p[7]) == 1) 2509 return true; 2510 return false; 2511 } 2512 2513 /** 2514 * smack_ipv6host_label - check host based restrictions 2515 * @sip: the object end 2516 * 2517 * looks for host based access restrictions 2518 * 2519 * This version will only be appropriate for really small sets of single label 2520 * hosts. The caller is responsible for ensuring that the RCU read lock is 2521 * taken before calling this function. 2522 * 2523 * Returns the label of the far end or NULL if it's not special. 2524 */ 2525 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2526 { 2527 struct smk_net6addr *snp; 2528 struct in6_addr *sap = &sip->sin6_addr; 2529 int i; 2530 int found = 0; 2531 2532 /* 2533 * It's local. Don't look for a host label. 2534 */ 2535 if (smk_ipv6_localhost(sip)) 2536 return NULL; 2537 2538 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2539 /* 2540 * If the label is NULL the entry has 2541 * been renounced. Ignore it. 2542 */ 2543 if (snp->smk_label == NULL) 2544 continue; 2545 /* 2546 * we break after finding the first match because 2547 * the list is sorted from longest to shortest mask 2548 * so we have found the most specific match 2549 */ 2550 for (found = 1, i = 0; i < 8; i++) { 2551 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2552 snp->smk_host.s6_addr16[i]) { 2553 found = 0; 2554 break; 2555 } 2556 } 2557 if (found) 2558 return snp->smk_label; 2559 } 2560 2561 return NULL; 2562 } 2563 #endif /* CONFIG_IPV6 */ 2564 2565 /** 2566 * smack_netlbl_add - Set the secattr on a socket 2567 * @sk: the socket 2568 * 2569 * Attach the outbound smack value (smk_out) to the socket. 2570 * 2571 * Returns 0 on success or an error code 2572 */ 2573 static int smack_netlbl_add(struct sock *sk) 2574 { 2575 struct socket_smack *ssp = smack_sock(sk); 2576 struct smack_known *skp = ssp->smk_out; 2577 int rc; 2578 2579 local_bh_disable(); 2580 bh_lock_sock_nested(sk); 2581 2582 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2583 netlbl_sk_lock_check(sk)); 2584 switch (rc) { 2585 case 0: 2586 ssp->smk_state = SMK_NETLBL_LABELED; 2587 break; 2588 case -EDESTADDRREQ: 2589 ssp->smk_state = SMK_NETLBL_REQSKB; 2590 rc = 0; 2591 break; 2592 } 2593 2594 bh_unlock_sock(sk); 2595 local_bh_enable(); 2596 2597 return rc; 2598 } 2599 2600 /** 2601 * smack_netlbl_delete - Remove the secattr from a socket 2602 * @sk: the socket 2603 * 2604 * Remove the outbound smack value from a socket 2605 */ 2606 static void smack_netlbl_delete(struct sock *sk) 2607 { 2608 struct socket_smack *ssp = smack_sock(sk); 2609 2610 /* 2611 * Take the label off the socket if one is set. 2612 */ 2613 if (ssp->smk_state != SMK_NETLBL_LABELED) 2614 return; 2615 2616 local_bh_disable(); 2617 bh_lock_sock_nested(sk); 2618 netlbl_sock_delattr(sk); 2619 bh_unlock_sock(sk); 2620 local_bh_enable(); 2621 ssp->smk_state = SMK_NETLBL_UNLABELED; 2622 } 2623 2624 /** 2625 * smk_ipv4_check - Perform IPv4 host access checks 2626 * @sk: the socket 2627 * @sap: the destination address 2628 * 2629 * Set the correct secattr for the given socket based on the destination 2630 * address and perform any outbound access checks needed. 2631 * 2632 * Returns 0 on success or an error code. 2633 * 2634 */ 2635 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2636 { 2637 struct smack_known *skp; 2638 int rc = 0; 2639 struct smack_known *hkp; 2640 struct socket_smack *ssp = smack_sock(sk); 2641 struct smk_audit_info ad; 2642 2643 rcu_read_lock(); 2644 hkp = smack_ipv4host_label(sap); 2645 if (hkp != NULL) { 2646 #ifdef CONFIG_AUDIT 2647 struct lsm_network_audit net; 2648 2649 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2650 ad.a.u.net->family = sap->sin_family; 2651 ad.a.u.net->dport = sap->sin_port; 2652 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2653 #endif 2654 skp = ssp->smk_out; 2655 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2656 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2657 /* 2658 * Clear the socket netlabel if it's set. 2659 */ 2660 if (!rc) 2661 smack_netlbl_delete(sk); 2662 } 2663 rcu_read_unlock(); 2664 2665 return rc; 2666 } 2667 2668 #if IS_ENABLED(CONFIG_IPV6) 2669 /** 2670 * smk_ipv6_check - check Smack access 2671 * @subject: subject Smack label 2672 * @object: object Smack label 2673 * @address: address 2674 * @act: the action being taken 2675 * 2676 * Check an IPv6 access 2677 */ 2678 static int smk_ipv6_check(struct smack_known *subject, 2679 struct smack_known *object, 2680 struct sockaddr_in6 *address, int act) 2681 { 2682 #ifdef CONFIG_AUDIT 2683 struct lsm_network_audit net; 2684 #endif 2685 struct smk_audit_info ad; 2686 int rc; 2687 2688 #ifdef CONFIG_AUDIT 2689 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2690 ad.a.u.net->family = PF_INET6; 2691 ad.a.u.net->dport = address->sin6_port; 2692 if (act == SMK_RECEIVING) 2693 ad.a.u.net->v6info.saddr = address->sin6_addr; 2694 else 2695 ad.a.u.net->v6info.daddr = address->sin6_addr; 2696 #endif 2697 rc = smk_access(subject, object, MAY_WRITE, &ad); 2698 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2699 return rc; 2700 } 2701 #endif /* CONFIG_IPV6 */ 2702 2703 #ifdef SMACK_IPV6_PORT_LABELING 2704 /** 2705 * smk_ipv6_port_label - Smack port access table management 2706 * @sock: socket 2707 * @address: address 2708 * 2709 * Create or update the port list entry 2710 */ 2711 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2712 { 2713 struct sock *sk = sock->sk; 2714 struct sockaddr_in6 *addr6; 2715 struct socket_smack *ssp = smack_sock(sock->sk); 2716 struct smk_port_label *spp; 2717 unsigned short port = 0; 2718 2719 if (address == NULL) { 2720 /* 2721 * This operation is changing the Smack information 2722 * on the bound socket. Take the changes to the port 2723 * as well. 2724 */ 2725 rcu_read_lock(); 2726 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2727 if (sk != spp->smk_sock) 2728 continue; 2729 spp->smk_in = ssp->smk_in; 2730 spp->smk_out = ssp->smk_out; 2731 rcu_read_unlock(); 2732 return; 2733 } 2734 /* 2735 * A NULL address is only used for updating existing 2736 * bound entries. If there isn't one, it's OK. 2737 */ 2738 rcu_read_unlock(); 2739 return; 2740 } 2741 2742 addr6 = (struct sockaddr_in6 *)address; 2743 port = ntohs(addr6->sin6_port); 2744 /* 2745 * This is a special case that is safely ignored. 2746 */ 2747 if (port == 0) 2748 return; 2749 2750 /* 2751 * Look for an existing port list entry. 2752 * This is an indication that a port is getting reused. 2753 */ 2754 rcu_read_lock(); 2755 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2756 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2757 continue; 2758 if (spp->smk_can_reuse != 1) { 2759 rcu_read_unlock(); 2760 return; 2761 } 2762 spp->smk_port = port; 2763 spp->smk_sock = sk; 2764 spp->smk_in = ssp->smk_in; 2765 spp->smk_out = ssp->smk_out; 2766 spp->smk_can_reuse = 0; 2767 rcu_read_unlock(); 2768 return; 2769 } 2770 rcu_read_unlock(); 2771 /* 2772 * A new port entry is required. 2773 */ 2774 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2775 if (spp == NULL) 2776 return; 2777 2778 spp->smk_port = port; 2779 spp->smk_sock = sk; 2780 spp->smk_in = ssp->smk_in; 2781 spp->smk_out = ssp->smk_out; 2782 spp->smk_sock_type = sock->type; 2783 spp->smk_can_reuse = 0; 2784 2785 mutex_lock(&smack_ipv6_lock); 2786 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2787 mutex_unlock(&smack_ipv6_lock); 2788 return; 2789 } 2790 2791 /** 2792 * smk_ipv6_port_check - check Smack port access 2793 * @sk: socket 2794 * @address: address 2795 * @act: the action being taken 2796 * 2797 * Create or update the port list entry 2798 */ 2799 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2800 int act) 2801 { 2802 struct smk_port_label *spp; 2803 struct socket_smack *ssp = smack_sock(sk); 2804 struct smack_known *skp = NULL; 2805 unsigned short port; 2806 struct smack_known *object; 2807 2808 if (act == SMK_RECEIVING) { 2809 skp = smack_ipv6host_label(address); 2810 object = ssp->smk_in; 2811 } else { 2812 skp = ssp->smk_out; 2813 object = smack_ipv6host_label(address); 2814 } 2815 2816 /* 2817 * The other end is a single label host. 2818 */ 2819 if (skp != NULL && object != NULL) 2820 return smk_ipv6_check(skp, object, address, act); 2821 if (skp == NULL) 2822 skp = smack_net_ambient; 2823 if (object == NULL) 2824 object = smack_net_ambient; 2825 2826 /* 2827 * It's remote, so port lookup does no good. 2828 */ 2829 if (!smk_ipv6_localhost(address)) 2830 return smk_ipv6_check(skp, object, address, act); 2831 2832 /* 2833 * It's local so the send check has to have passed. 2834 */ 2835 if (act == SMK_RECEIVING) 2836 return 0; 2837 2838 port = ntohs(address->sin6_port); 2839 rcu_read_lock(); 2840 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2841 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2842 continue; 2843 object = spp->smk_in; 2844 if (act == SMK_CONNECTING) 2845 ssp->smk_packet = spp->smk_out; 2846 break; 2847 } 2848 rcu_read_unlock(); 2849 2850 return smk_ipv6_check(skp, object, address, act); 2851 } 2852 #endif 2853 2854 /** 2855 * smack_inode_setsecurity - set smack xattrs 2856 * @inode: the object 2857 * @name: attribute name 2858 * @value: attribute value 2859 * @size: size of the attribute 2860 * @flags: unused 2861 * 2862 * Sets the named attribute in the appropriate blob 2863 * 2864 * Returns 0 on success, or an error code 2865 */ 2866 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2867 const void *value, size_t size, int flags) 2868 { 2869 struct smack_known *skp; 2870 struct inode_smack *nsp = smack_inode(inode); 2871 struct socket_smack *ssp; 2872 struct socket *sock; 2873 int rc = 0; 2874 2875 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2876 return -EINVAL; 2877 2878 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2879 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2880 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2881 return -EINVAL; 2882 2883 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2884 return 0; 2885 } 2886 2887 skp = smk_import_entry(value, size); 2888 if (IS_ERR(skp)) 2889 return PTR_ERR(skp); 2890 2891 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2892 nsp->smk_inode = skp; 2893 nsp->smk_flags |= SMK_INODE_INSTANT; 2894 return 0; 2895 } 2896 /* 2897 * The rest of the Smack xattrs are only on sockets. 2898 */ 2899 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2900 return -EOPNOTSUPP; 2901 2902 sock = SOCKET_I(inode); 2903 if (sock == NULL || sock->sk == NULL) 2904 return -EOPNOTSUPP; 2905 2906 ssp = smack_sock(sock->sk); 2907 2908 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2909 ssp->smk_in = skp; 2910 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2911 ssp->smk_out = skp; 2912 if (sock->sk->sk_family == PF_INET) { 2913 rc = smack_netlbl_add(sock->sk); 2914 if (rc != 0) 2915 printk(KERN_WARNING 2916 "Smack: \"%s\" netlbl error %d.\n", 2917 __func__, -rc); 2918 } 2919 } else 2920 return -EOPNOTSUPP; 2921 2922 #ifdef SMACK_IPV6_PORT_LABELING 2923 if (sock->sk->sk_family == PF_INET6) 2924 smk_ipv6_port_label(sock, NULL); 2925 #endif 2926 2927 return 0; 2928 } 2929 2930 /** 2931 * smack_socket_post_create - finish socket setup 2932 * @sock: the socket 2933 * @family: protocol family 2934 * @type: unused 2935 * @protocol: unused 2936 * @kern: unused 2937 * 2938 * Sets the netlabel information on the socket 2939 * 2940 * Returns 0 on success, and error code otherwise 2941 */ 2942 static int smack_socket_post_create(struct socket *sock, int family, 2943 int type, int protocol, int kern) 2944 { 2945 struct socket_smack *ssp; 2946 2947 if (sock->sk == NULL) 2948 return 0; 2949 2950 /* 2951 * Sockets created by kernel threads receive web label. 2952 */ 2953 if (unlikely(current->flags & PF_KTHREAD)) { 2954 ssp = smack_sock(sock->sk); 2955 ssp->smk_in = &smack_known_web; 2956 ssp->smk_out = &smack_known_web; 2957 } 2958 2959 if (family != PF_INET) 2960 return 0; 2961 /* 2962 * Set the outbound netlbl. 2963 */ 2964 return smack_netlbl_add(sock->sk); 2965 } 2966 2967 /** 2968 * smack_socket_socketpair - create socket pair 2969 * @socka: one socket 2970 * @sockb: another socket 2971 * 2972 * Cross reference the peer labels for SO_PEERSEC 2973 * 2974 * Returns 0 2975 */ 2976 static int smack_socket_socketpair(struct socket *socka, 2977 struct socket *sockb) 2978 { 2979 struct socket_smack *asp = smack_sock(socka->sk); 2980 struct socket_smack *bsp = smack_sock(sockb->sk); 2981 2982 asp->smk_packet = bsp->smk_out; 2983 bsp->smk_packet = asp->smk_out; 2984 2985 return 0; 2986 } 2987 2988 #ifdef SMACK_IPV6_PORT_LABELING 2989 /** 2990 * smack_socket_bind - record port binding information. 2991 * @sock: the socket 2992 * @address: the port address 2993 * @addrlen: size of the address 2994 * 2995 * Records the label bound to a port. 2996 * 2997 * Returns 0 on success, and error code otherwise 2998 */ 2999 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3000 int addrlen) 3001 { 3002 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3003 if (addrlen < SIN6_LEN_RFC2133 || 3004 address->sa_family != AF_INET6) 3005 return -EINVAL; 3006 smk_ipv6_port_label(sock, address); 3007 } 3008 return 0; 3009 } 3010 #endif /* SMACK_IPV6_PORT_LABELING */ 3011 3012 /** 3013 * smack_socket_connect - connect access check 3014 * @sock: the socket 3015 * @sap: the other end 3016 * @addrlen: size of sap 3017 * 3018 * Verifies that a connection may be possible 3019 * 3020 * Returns 0 on success, and error code otherwise 3021 */ 3022 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3023 int addrlen) 3024 { 3025 int rc = 0; 3026 3027 if (sock->sk == NULL) 3028 return 0; 3029 if (sock->sk->sk_family != PF_INET && 3030 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3031 return 0; 3032 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3033 return 0; 3034 3035 #if IS_ENABLED(CONFIG_IPV6) 3036 if (sap->sa_family == AF_INET6) { 3037 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3038 struct smack_known *rsp = NULL; 3039 3040 if (addrlen < SIN6_LEN_RFC2133) 3041 return 0; 3042 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3043 rsp = smack_ipv6host_label(sip); 3044 if (rsp != NULL) { 3045 struct socket_smack *ssp = smack_sock(sock->sk); 3046 3047 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3048 SMK_CONNECTING); 3049 } 3050 #ifdef SMACK_IPV6_PORT_LABELING 3051 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3052 #endif 3053 3054 return rc; 3055 } 3056 #endif /* CONFIG_IPV6 */ 3057 3058 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3059 return 0; 3060 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3061 return rc; 3062 } 3063 3064 /** 3065 * smack_flags_to_may - convert S_ to MAY_ values 3066 * @flags: the S_ value 3067 * 3068 * Returns the equivalent MAY_ value 3069 */ 3070 static int smack_flags_to_may(int flags) 3071 { 3072 int may = 0; 3073 3074 if (flags & S_IRUGO) 3075 may |= MAY_READ; 3076 if (flags & S_IWUGO) 3077 may |= MAY_WRITE; 3078 if (flags & S_IXUGO) 3079 may |= MAY_EXEC; 3080 3081 return may; 3082 } 3083 3084 /** 3085 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3086 * @msg: the object 3087 * 3088 * Returns 0 3089 */ 3090 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3091 { 3092 struct smack_known **blob = smack_msg_msg(msg); 3093 3094 *blob = smk_of_current(); 3095 return 0; 3096 } 3097 3098 /** 3099 * smack_of_ipc - the smack pointer for the ipc 3100 * @isp: the object 3101 * 3102 * Returns a pointer to the smack value 3103 */ 3104 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3105 { 3106 struct smack_known **blob = smack_ipc(isp); 3107 3108 return *blob; 3109 } 3110 3111 /** 3112 * smack_ipc_alloc_security - Set the security blob for ipc 3113 * @isp: the object 3114 * 3115 * Returns 0 3116 */ 3117 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3118 { 3119 struct smack_known **blob = smack_ipc(isp); 3120 3121 *blob = smk_of_current(); 3122 return 0; 3123 } 3124 3125 /** 3126 * smk_curacc_shm : check if current has access on shm 3127 * @isp : the object 3128 * @access : access requested 3129 * 3130 * Returns 0 if current has the requested access, error code otherwise 3131 */ 3132 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3133 { 3134 struct smack_known *ssp = smack_of_ipc(isp); 3135 struct smk_audit_info ad; 3136 int rc; 3137 3138 #ifdef CONFIG_AUDIT 3139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3140 ad.a.u.ipc_id = isp->id; 3141 #endif 3142 rc = smk_curacc(ssp, access, &ad); 3143 rc = smk_bu_current("shm", ssp, access, rc); 3144 return rc; 3145 } 3146 3147 /** 3148 * smack_shm_associate - Smack access check for shm 3149 * @isp: the object 3150 * @shmflg: access requested 3151 * 3152 * Returns 0 if current has the requested access, error code otherwise 3153 */ 3154 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3155 { 3156 int may; 3157 3158 may = smack_flags_to_may(shmflg); 3159 return smk_curacc_shm(isp, may); 3160 } 3161 3162 /** 3163 * smack_shm_shmctl - Smack access check for shm 3164 * @isp: the object 3165 * @cmd: what it wants to do 3166 * 3167 * Returns 0 if current has the requested access, error code otherwise 3168 */ 3169 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3170 { 3171 int may; 3172 3173 switch (cmd) { 3174 case IPC_STAT: 3175 case SHM_STAT: 3176 case SHM_STAT_ANY: 3177 may = MAY_READ; 3178 break; 3179 case IPC_SET: 3180 case SHM_LOCK: 3181 case SHM_UNLOCK: 3182 case IPC_RMID: 3183 may = MAY_READWRITE; 3184 break; 3185 case IPC_INFO: 3186 case SHM_INFO: 3187 /* 3188 * System level information. 3189 */ 3190 return 0; 3191 default: 3192 return -EINVAL; 3193 } 3194 return smk_curacc_shm(isp, may); 3195 } 3196 3197 /** 3198 * smack_shm_shmat - Smack access for shmat 3199 * @isp: the object 3200 * @shmaddr: unused 3201 * @shmflg: access requested 3202 * 3203 * Returns 0 if current has the requested access, error code otherwise 3204 */ 3205 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3206 int shmflg) 3207 { 3208 int may; 3209 3210 may = smack_flags_to_may(shmflg); 3211 return smk_curacc_shm(isp, may); 3212 } 3213 3214 /** 3215 * smk_curacc_sem : check if current has access on sem 3216 * @isp : the object 3217 * @access : access requested 3218 * 3219 * Returns 0 if current has the requested access, error code otherwise 3220 */ 3221 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3222 { 3223 struct smack_known *ssp = smack_of_ipc(isp); 3224 struct smk_audit_info ad; 3225 int rc; 3226 3227 #ifdef CONFIG_AUDIT 3228 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3229 ad.a.u.ipc_id = isp->id; 3230 #endif 3231 rc = smk_curacc(ssp, access, &ad); 3232 rc = smk_bu_current("sem", ssp, access, rc); 3233 return rc; 3234 } 3235 3236 /** 3237 * smack_sem_associate - Smack access check for sem 3238 * @isp: the object 3239 * @semflg: access requested 3240 * 3241 * Returns 0 if current has the requested access, error code otherwise 3242 */ 3243 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3244 { 3245 int may; 3246 3247 may = smack_flags_to_may(semflg); 3248 return smk_curacc_sem(isp, may); 3249 } 3250 3251 /** 3252 * smack_sem_semctl - Smack access check for sem 3253 * @isp: the object 3254 * @cmd: what it wants to do 3255 * 3256 * Returns 0 if current has the requested access, error code otherwise 3257 */ 3258 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3259 { 3260 int may; 3261 3262 switch (cmd) { 3263 case GETPID: 3264 case GETNCNT: 3265 case GETZCNT: 3266 case GETVAL: 3267 case GETALL: 3268 case IPC_STAT: 3269 case SEM_STAT: 3270 case SEM_STAT_ANY: 3271 may = MAY_READ; 3272 break; 3273 case SETVAL: 3274 case SETALL: 3275 case IPC_RMID: 3276 case IPC_SET: 3277 may = MAY_READWRITE; 3278 break; 3279 case IPC_INFO: 3280 case SEM_INFO: 3281 /* 3282 * System level information 3283 */ 3284 return 0; 3285 default: 3286 return -EINVAL; 3287 } 3288 3289 return smk_curacc_sem(isp, may); 3290 } 3291 3292 /** 3293 * smack_sem_semop - Smack checks of semaphore operations 3294 * @isp: the object 3295 * @sops: unused 3296 * @nsops: unused 3297 * @alter: unused 3298 * 3299 * Treated as read and write in all cases. 3300 * 3301 * Returns 0 if access is allowed, error code otherwise 3302 */ 3303 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3304 unsigned nsops, int alter) 3305 { 3306 return smk_curacc_sem(isp, MAY_READWRITE); 3307 } 3308 3309 /** 3310 * smk_curacc_msq : helper to check if current has access on msq 3311 * @isp : the msq 3312 * @access : access requested 3313 * 3314 * return 0 if current has access, error otherwise 3315 */ 3316 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3317 { 3318 struct smack_known *msp = smack_of_ipc(isp); 3319 struct smk_audit_info ad; 3320 int rc; 3321 3322 #ifdef CONFIG_AUDIT 3323 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3324 ad.a.u.ipc_id = isp->id; 3325 #endif 3326 rc = smk_curacc(msp, access, &ad); 3327 rc = smk_bu_current("msq", msp, access, rc); 3328 return rc; 3329 } 3330 3331 /** 3332 * smack_msg_queue_associate - Smack access check for msg_queue 3333 * @isp: the object 3334 * @msqflg: access requested 3335 * 3336 * Returns 0 if current has the requested access, error code otherwise 3337 */ 3338 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3339 { 3340 int may; 3341 3342 may = smack_flags_to_may(msqflg); 3343 return smk_curacc_msq(isp, may); 3344 } 3345 3346 /** 3347 * smack_msg_queue_msgctl - Smack access check for msg_queue 3348 * @isp: the object 3349 * @cmd: what it wants to do 3350 * 3351 * Returns 0 if current has the requested access, error code otherwise 3352 */ 3353 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3354 { 3355 int may; 3356 3357 switch (cmd) { 3358 case IPC_STAT: 3359 case MSG_STAT: 3360 case MSG_STAT_ANY: 3361 may = MAY_READ; 3362 break; 3363 case IPC_SET: 3364 case IPC_RMID: 3365 may = MAY_READWRITE; 3366 break; 3367 case IPC_INFO: 3368 case MSG_INFO: 3369 /* 3370 * System level information 3371 */ 3372 return 0; 3373 default: 3374 return -EINVAL; 3375 } 3376 3377 return smk_curacc_msq(isp, may); 3378 } 3379 3380 /** 3381 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3382 * @isp: the object 3383 * @msg: unused 3384 * @msqflg: access requested 3385 * 3386 * Returns 0 if current has the requested access, error code otherwise 3387 */ 3388 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3389 int msqflg) 3390 { 3391 int may; 3392 3393 may = smack_flags_to_may(msqflg); 3394 return smk_curacc_msq(isp, may); 3395 } 3396 3397 /** 3398 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3399 * @isp: the object 3400 * @msg: unused 3401 * @target: unused 3402 * @type: unused 3403 * @mode: unused 3404 * 3405 * Returns 0 if current has read and write access, error code otherwise 3406 */ 3407 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3408 struct msg_msg *msg, 3409 struct task_struct *target, long type, 3410 int mode) 3411 { 3412 return smk_curacc_msq(isp, MAY_READWRITE); 3413 } 3414 3415 /** 3416 * smack_ipc_permission - Smack access for ipc_permission() 3417 * @ipp: the object permissions 3418 * @flag: access requested 3419 * 3420 * Returns 0 if current has read and write access, error code otherwise 3421 */ 3422 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3423 { 3424 struct smack_known **blob = smack_ipc(ipp); 3425 struct smack_known *iskp = *blob; 3426 int may = smack_flags_to_may(flag); 3427 struct smk_audit_info ad; 3428 int rc; 3429 3430 #ifdef CONFIG_AUDIT 3431 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3432 ad.a.u.ipc_id = ipp->id; 3433 #endif 3434 rc = smk_curacc(iskp, may, &ad); 3435 rc = smk_bu_current("svipc", iskp, may, rc); 3436 return rc; 3437 } 3438 3439 /** 3440 * smack_ipc_getlsmprop - Extract smack security data 3441 * @ipp: the object permissions 3442 * @prop: where result will be saved 3443 */ 3444 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3445 { 3446 struct smack_known **iskpp = smack_ipc(ipp); 3447 3448 prop->smack.skp = *iskpp; 3449 } 3450 3451 /** 3452 * smack_d_instantiate - Make sure the blob is correct on an inode 3453 * @opt_dentry: dentry where inode will be attached 3454 * @inode: the object 3455 * 3456 * Set the inode's security blob if it hasn't been done already. 3457 */ 3458 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3459 { 3460 struct super_block *sbp; 3461 struct superblock_smack *sbsp; 3462 struct inode_smack *isp; 3463 struct smack_known *skp; 3464 struct smack_known *ckp = smk_of_current(); 3465 struct smack_known *final; 3466 char trattr[TRANS_TRUE_SIZE]; 3467 int transflag = 0; 3468 int rc; 3469 struct dentry *dp; 3470 3471 if (inode == NULL) 3472 return; 3473 3474 isp = smack_inode(inode); 3475 3476 /* 3477 * If the inode is already instantiated 3478 * take the quick way out 3479 */ 3480 if (isp->smk_flags & SMK_INODE_INSTANT) 3481 return; 3482 3483 sbp = inode->i_sb; 3484 sbsp = smack_superblock(sbp); 3485 /* 3486 * We're going to use the superblock default label 3487 * if there's no label on the file. 3488 */ 3489 final = sbsp->smk_default; 3490 3491 /* 3492 * If this is the root inode the superblock 3493 * may be in the process of initialization. 3494 * If that is the case use the root value out 3495 * of the superblock. 3496 */ 3497 if (opt_dentry->d_parent == opt_dentry) { 3498 switch (sbp->s_magic) { 3499 case CGROUP_SUPER_MAGIC: 3500 case CGROUP2_SUPER_MAGIC: 3501 /* 3502 * The cgroup filesystem is never mounted, 3503 * so there's no opportunity to set the mount 3504 * options. 3505 */ 3506 sbsp->smk_root = &smack_known_star; 3507 sbsp->smk_default = &smack_known_star; 3508 isp->smk_inode = sbsp->smk_root; 3509 break; 3510 case TMPFS_MAGIC: 3511 /* 3512 * What about shmem/tmpfs anonymous files with dentry 3513 * obtained from d_alloc_pseudo()? 3514 */ 3515 isp->smk_inode = smk_of_current(); 3516 break; 3517 case PIPEFS_MAGIC: 3518 isp->smk_inode = smk_of_current(); 3519 break; 3520 case SOCKFS_MAGIC: 3521 /* 3522 * Socket access is controlled by the socket 3523 * structures associated with the task involved. 3524 */ 3525 isp->smk_inode = &smack_known_star; 3526 break; 3527 default: 3528 isp->smk_inode = sbsp->smk_root; 3529 break; 3530 } 3531 isp->smk_flags |= SMK_INODE_INSTANT; 3532 return; 3533 } 3534 3535 /* 3536 * This is pretty hackish. 3537 * Casey says that we shouldn't have to do 3538 * file system specific code, but it does help 3539 * with keeping it simple. 3540 */ 3541 switch (sbp->s_magic) { 3542 case SMACK_MAGIC: 3543 case CGROUP_SUPER_MAGIC: 3544 case CGROUP2_SUPER_MAGIC: 3545 /* 3546 * Casey says that it's a little embarrassing 3547 * that the smack file system doesn't do 3548 * extended attributes. 3549 * 3550 * Cgroupfs is special 3551 */ 3552 final = &smack_known_star; 3553 break; 3554 case DEVPTS_SUPER_MAGIC: 3555 /* 3556 * devpts seems content with the label of the task. 3557 * Programs that change smack have to treat the 3558 * pty with respect. 3559 */ 3560 final = ckp; 3561 break; 3562 case PROC_SUPER_MAGIC: 3563 /* 3564 * Casey says procfs appears not to care. 3565 * The superblock default suffices. 3566 */ 3567 break; 3568 case TMPFS_MAGIC: 3569 /* 3570 * Device labels should come from the filesystem, 3571 * but watch out, because they're volitile, 3572 * getting recreated on every reboot. 3573 */ 3574 final = &smack_known_star; 3575 /* 3576 * If a smack value has been set we want to use it, 3577 * but since tmpfs isn't giving us the opportunity 3578 * to set mount options simulate setting the 3579 * superblock default. 3580 */ 3581 fallthrough; 3582 default: 3583 /* 3584 * This isn't an understood special case. 3585 * Get the value from the xattr. 3586 */ 3587 3588 /* 3589 * UNIX domain sockets use lower level socket data. 3590 */ 3591 if (S_ISSOCK(inode->i_mode)) { 3592 final = &smack_known_star; 3593 break; 3594 } 3595 /* 3596 * No xattr support means, alas, no SMACK label. 3597 * Use the aforeapplied default. 3598 * It would be curious if the label of the task 3599 * does not match that assigned. 3600 */ 3601 if (!(inode->i_opflags & IOP_XATTR)) 3602 break; 3603 /* 3604 * Get the dentry for xattr. 3605 */ 3606 dp = dget(opt_dentry); 3607 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3608 if (!IS_ERR_OR_NULL(skp)) 3609 final = skp; 3610 3611 /* 3612 * Transmuting directory 3613 */ 3614 if (S_ISDIR(inode->i_mode)) { 3615 /* 3616 * If this is a new directory and the label was 3617 * transmuted when the inode was initialized 3618 * set the transmute attribute on the directory 3619 * and mark the inode. 3620 * 3621 * If there is a transmute attribute on the 3622 * directory mark the inode. 3623 */ 3624 rc = __vfs_getxattr(dp, inode, 3625 XATTR_NAME_SMACKTRANSMUTE, trattr, 3626 TRANS_TRUE_SIZE); 3627 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3628 TRANS_TRUE_SIZE) != 0) 3629 rc = -EINVAL; 3630 if (rc >= 0) 3631 transflag = SMK_INODE_TRANSMUTE; 3632 } 3633 /* 3634 * Don't let the exec or mmap label be "*" or "@". 3635 */ 3636 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3637 if (IS_ERR(skp) || skp == &smack_known_star || 3638 skp == &smack_known_web) 3639 skp = NULL; 3640 isp->smk_task = skp; 3641 3642 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3643 if (IS_ERR(skp) || skp == &smack_known_star || 3644 skp == &smack_known_web) 3645 skp = NULL; 3646 isp->smk_mmap = skp; 3647 3648 dput(dp); 3649 break; 3650 } 3651 3652 if (final == NULL) 3653 isp->smk_inode = ckp; 3654 else 3655 isp->smk_inode = final; 3656 3657 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3658 3659 return; 3660 } 3661 3662 /** 3663 * smack_getselfattr - Smack current process attribute 3664 * @attr: which attribute to fetch 3665 * @ctx: buffer to receive the result 3666 * @size: available size in, actual size out 3667 * @flags: unused 3668 * 3669 * Fill the passed user space @ctx with the details of the requested 3670 * attribute. 3671 * 3672 * Returns the number of attributes on success, an error code otherwise. 3673 * There will only ever be one attribute. 3674 */ 3675 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3676 u32 *size, u32 flags) 3677 { 3678 int rc; 3679 struct smack_known *skp; 3680 3681 if (attr != LSM_ATTR_CURRENT) 3682 return -EOPNOTSUPP; 3683 3684 skp = smk_of_current(); 3685 rc = lsm_fill_user_ctx(ctx, size, 3686 skp->smk_known, strlen(skp->smk_known) + 1, 3687 LSM_ID_SMACK, 0); 3688 return (!rc ? 1 : rc); 3689 } 3690 3691 /** 3692 * smack_getprocattr - Smack process attribute access 3693 * @p: the object task 3694 * @name: the name of the attribute in /proc/.../attr 3695 * @value: where to put the result 3696 * 3697 * Places a copy of the task Smack into value 3698 * 3699 * Returns the length of the smack label or an error code 3700 */ 3701 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3702 { 3703 struct smack_known *skp = smk_of_task_struct_obj(p); 3704 char *cp; 3705 int slen; 3706 3707 if (strcmp(name, "current") != 0) 3708 return -EINVAL; 3709 3710 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3711 if (cp == NULL) 3712 return -ENOMEM; 3713 3714 slen = strlen(cp); 3715 *value = cp; 3716 return slen; 3717 } 3718 3719 /** 3720 * do_setattr - Smack process attribute setting 3721 * @attr: the ID of the attribute 3722 * @value: the value to set 3723 * @size: the size of the value 3724 * 3725 * Sets the Smack value of the task. Only setting self 3726 * is permitted and only with privilege 3727 * 3728 * Returns the length of the smack label or an error code 3729 */ 3730 static int do_setattr(u64 attr, void *value, size_t size) 3731 { 3732 struct task_smack *tsp = smack_cred(current_cred()); 3733 struct cred *new; 3734 struct smack_known *skp; 3735 struct smack_known_list_elem *sklep; 3736 int rc; 3737 3738 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3739 return -EPERM; 3740 3741 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3742 return -EINVAL; 3743 3744 if (attr != LSM_ATTR_CURRENT) 3745 return -EOPNOTSUPP; 3746 3747 skp = smk_import_entry(value, size); 3748 if (IS_ERR(skp)) 3749 return PTR_ERR(skp); 3750 3751 /* 3752 * No process is ever allowed the web ("@") label 3753 * and the star ("*") label. 3754 */ 3755 if (skp == &smack_known_web || skp == &smack_known_star) 3756 return -EINVAL; 3757 3758 if (!smack_privileged(CAP_MAC_ADMIN)) { 3759 rc = -EPERM; 3760 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3761 if (sklep->smk_label == skp) { 3762 rc = 0; 3763 break; 3764 } 3765 if (rc) 3766 return rc; 3767 } 3768 3769 new = prepare_creds(); 3770 if (new == NULL) 3771 return -ENOMEM; 3772 3773 tsp = smack_cred(new); 3774 tsp->smk_task = skp; 3775 /* 3776 * process can change its label only once 3777 */ 3778 smk_destroy_label_list(&tsp->smk_relabel); 3779 3780 commit_creds(new); 3781 return size; 3782 } 3783 3784 /** 3785 * smack_setselfattr - Set a Smack process attribute 3786 * @attr: which attribute to set 3787 * @ctx: buffer containing the data 3788 * @size: size of @ctx 3789 * @flags: unused 3790 * 3791 * Fill the passed user space @ctx with the details of the requested 3792 * attribute. 3793 * 3794 * Returns 0 on success, an error code otherwise. 3795 */ 3796 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3797 u32 size, u32 flags) 3798 { 3799 int rc; 3800 3801 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3802 if (rc > 0) 3803 return 0; 3804 return rc; 3805 } 3806 3807 /** 3808 * smack_setprocattr - Smack process attribute setting 3809 * @name: the name of the attribute in /proc/.../attr 3810 * @value: the value to set 3811 * @size: the size of the value 3812 * 3813 * Sets the Smack value of the task. Only setting self 3814 * is permitted and only with privilege 3815 * 3816 * Returns the length of the smack label or an error code 3817 */ 3818 static int smack_setprocattr(const char *name, void *value, size_t size) 3819 { 3820 int attr = lsm_name_to_attr(name); 3821 3822 if (attr != LSM_ATTR_UNDEF) 3823 return do_setattr(attr, value, size); 3824 return -EINVAL; 3825 } 3826 3827 /** 3828 * smack_unix_stream_connect - Smack access on UDS 3829 * @sock: one sock 3830 * @other: the other sock 3831 * @newsk: unused 3832 * 3833 * Return 0 if a subject with the smack of sock could access 3834 * an object with the smack of other, otherwise an error code 3835 */ 3836 static int smack_unix_stream_connect(struct sock *sock, 3837 struct sock *other, struct sock *newsk) 3838 { 3839 struct smack_known *skp; 3840 struct smack_known *okp; 3841 struct socket_smack *ssp = smack_sock(sock); 3842 struct socket_smack *osp = smack_sock(other); 3843 struct socket_smack *nsp = smack_sock(newsk); 3844 struct smk_audit_info ad; 3845 int rc = 0; 3846 #ifdef CONFIG_AUDIT 3847 struct lsm_network_audit net; 3848 #endif 3849 3850 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3851 skp = ssp->smk_out; 3852 okp = osp->smk_in; 3853 #ifdef CONFIG_AUDIT 3854 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3855 smk_ad_setfield_u_net_sk(&ad, other); 3856 #endif 3857 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3858 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3859 if (rc == 0) { 3860 okp = osp->smk_out; 3861 skp = ssp->smk_in; 3862 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3863 rc = smk_bu_note("UDS connect", okp, skp, 3864 MAY_WRITE, rc); 3865 } 3866 } 3867 3868 if (rc == 0) { 3869 /* 3870 * Cross reference the peer labels for SO_PEERSEC. 3871 */ 3872 nsp->smk_packet = ssp->smk_out; 3873 ssp->smk_packet = osp->smk_out; 3874 3875 /* 3876 * new/child/established socket must inherit listening socket labels 3877 */ 3878 nsp->smk_out = osp->smk_out; 3879 nsp->smk_in = osp->smk_in; 3880 } 3881 3882 return rc; 3883 } 3884 3885 /** 3886 * smack_unix_may_send - Smack access on UDS 3887 * @sock: one socket 3888 * @other: the other socket 3889 * 3890 * Return 0 if a subject with the smack of sock could access 3891 * an object with the smack of other, otherwise an error code 3892 */ 3893 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3894 { 3895 struct socket_smack *ssp = smack_sock(sock->sk); 3896 struct socket_smack *osp = smack_sock(other->sk); 3897 struct smk_audit_info ad; 3898 int rc; 3899 3900 #ifdef CONFIG_AUDIT 3901 struct lsm_network_audit net; 3902 3903 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3904 smk_ad_setfield_u_net_sk(&ad, other->sk); 3905 #endif 3906 3907 if (smack_privileged(CAP_MAC_OVERRIDE)) 3908 return 0; 3909 3910 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3911 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3912 return rc; 3913 } 3914 3915 /** 3916 * smack_socket_sendmsg - Smack check based on destination host 3917 * @sock: the socket 3918 * @msg: the message 3919 * @size: the size of the message 3920 * 3921 * Return 0 if the current subject can write to the destination host. 3922 * For IPv4 this is only a question if the destination is a single label host. 3923 * For IPv6 this is a check against the label of the port. 3924 */ 3925 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3926 int size) 3927 { 3928 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3929 #if IS_ENABLED(CONFIG_IPV6) 3930 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3931 #endif 3932 #ifdef SMACK_IPV6_SECMARK_LABELING 3933 struct socket_smack *ssp = smack_sock(sock->sk); 3934 struct smack_known *rsp; 3935 #endif 3936 int rc = 0; 3937 3938 /* 3939 * Perfectly reasonable for this to be NULL 3940 */ 3941 if (sip == NULL) 3942 return 0; 3943 3944 switch (sock->sk->sk_family) { 3945 case AF_INET: 3946 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3947 sip->sin_family != AF_INET) 3948 return -EINVAL; 3949 rc = smk_ipv4_check(sock->sk, sip); 3950 break; 3951 #if IS_ENABLED(CONFIG_IPV6) 3952 case AF_INET6: 3953 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3954 sap->sin6_family != AF_INET6) 3955 return -EINVAL; 3956 #ifdef SMACK_IPV6_SECMARK_LABELING 3957 rsp = smack_ipv6host_label(sap); 3958 if (rsp != NULL) 3959 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3960 SMK_CONNECTING); 3961 #endif 3962 #ifdef SMACK_IPV6_PORT_LABELING 3963 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3964 #endif 3965 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3966 break; 3967 } 3968 return rc; 3969 } 3970 3971 /** 3972 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3973 * @sap: netlabel secattr 3974 * @ssp: socket security information 3975 * 3976 * Returns a pointer to a Smack label entry found on the label list. 3977 */ 3978 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3979 struct socket_smack *ssp) 3980 { 3981 struct smack_known *skp; 3982 int found = 0; 3983 int acat; 3984 int kcat; 3985 3986 /* 3987 * Netlabel found it in the cache. 3988 */ 3989 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3990 return (struct smack_known *)sap->cache->data; 3991 3992 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3993 /* 3994 * Looks like a fallback, which gives us a secid. 3995 */ 3996 return smack_from_secid(sap->attr.secid); 3997 3998 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3999 /* 4000 * Looks like a CIPSO packet. 4001 * If there are flags but no level netlabel isn't 4002 * behaving the way we expect it to. 4003 * 4004 * Look it up in the label table 4005 * Without guidance regarding the smack value 4006 * for the packet fall back on the network 4007 * ambient value. 4008 */ 4009 rcu_read_lock(); 4010 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4011 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4012 continue; 4013 /* 4014 * Compare the catsets. Use the netlbl APIs. 4015 */ 4016 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4017 if ((skp->smk_netlabel.flags & 4018 NETLBL_SECATTR_MLS_CAT) == 0) 4019 found = 1; 4020 break; 4021 } 4022 for (acat = -1, kcat = -1; acat == kcat; ) { 4023 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4024 acat + 1); 4025 kcat = netlbl_catmap_walk( 4026 skp->smk_netlabel.attr.mls.cat, 4027 kcat + 1); 4028 if (acat < 0 || kcat < 0) 4029 break; 4030 } 4031 if (acat == kcat) { 4032 found = 1; 4033 break; 4034 } 4035 } 4036 rcu_read_unlock(); 4037 4038 if (found) 4039 return skp; 4040 4041 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4042 return &smack_known_web; 4043 return &smack_known_star; 4044 } 4045 /* 4046 * Without guidance regarding the smack value 4047 * for the packet fall back on the network 4048 * ambient value. 4049 */ 4050 return smack_net_ambient; 4051 } 4052 4053 #if IS_ENABLED(CONFIG_IPV6) 4054 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4055 { 4056 u8 nexthdr; 4057 int offset; 4058 int proto = -EINVAL; 4059 struct ipv6hdr _ipv6h; 4060 struct ipv6hdr *ip6; 4061 __be16 frag_off; 4062 struct tcphdr _tcph, *th; 4063 struct udphdr _udph, *uh; 4064 struct dccp_hdr _dccph, *dh; 4065 4066 sip->sin6_port = 0; 4067 4068 offset = skb_network_offset(skb); 4069 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4070 if (ip6 == NULL) 4071 return -EINVAL; 4072 sip->sin6_addr = ip6->saddr; 4073 4074 nexthdr = ip6->nexthdr; 4075 offset += sizeof(_ipv6h); 4076 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4077 if (offset < 0) 4078 return -EINVAL; 4079 4080 proto = nexthdr; 4081 switch (proto) { 4082 case IPPROTO_TCP: 4083 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4084 if (th != NULL) 4085 sip->sin6_port = th->source; 4086 break; 4087 case IPPROTO_UDP: 4088 case IPPROTO_UDPLITE: 4089 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4090 if (uh != NULL) 4091 sip->sin6_port = uh->source; 4092 break; 4093 case IPPROTO_DCCP: 4094 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4095 if (dh != NULL) 4096 sip->sin6_port = dh->dccph_sport; 4097 break; 4098 } 4099 return proto; 4100 } 4101 #endif /* CONFIG_IPV6 */ 4102 4103 /** 4104 * smack_from_skb - Smack data from the secmark in an skb 4105 * @skb: packet 4106 * 4107 * Returns smack_known of the secmark or NULL if that won't work. 4108 */ 4109 #ifdef CONFIG_NETWORK_SECMARK 4110 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4111 { 4112 if (skb == NULL || skb->secmark == 0) 4113 return NULL; 4114 4115 return smack_from_secid(skb->secmark); 4116 } 4117 #else 4118 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4119 { 4120 return NULL; 4121 } 4122 #endif 4123 4124 /** 4125 * smack_from_netlbl - Smack data from the IP options in an skb 4126 * @sk: socket data came in on 4127 * @family: address family 4128 * @skb: packet 4129 * 4130 * Find the Smack label in the IP options. If it hasn't been 4131 * added to the netlabel cache, add it here. 4132 * 4133 * Returns smack_known of the IP options or NULL if that won't work. 4134 */ 4135 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4136 struct sk_buff *skb) 4137 { 4138 struct netlbl_lsm_secattr secattr; 4139 struct socket_smack *ssp = NULL; 4140 struct smack_known *skp = NULL; 4141 4142 netlbl_secattr_init(&secattr); 4143 4144 if (sk) 4145 ssp = smack_sock(sk); 4146 4147 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4148 skp = smack_from_secattr(&secattr, ssp); 4149 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4150 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4151 } 4152 4153 netlbl_secattr_destroy(&secattr); 4154 4155 return skp; 4156 } 4157 4158 /** 4159 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4160 * @sk: socket 4161 * @skb: packet 4162 * 4163 * Returns 0 if the packet should be delivered, an error code otherwise 4164 */ 4165 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4166 { 4167 struct socket_smack *ssp = smack_sock(sk); 4168 struct smack_known *skp = NULL; 4169 int rc = 0; 4170 struct smk_audit_info ad; 4171 u16 family = sk->sk_family; 4172 #ifdef CONFIG_AUDIT 4173 struct lsm_network_audit net; 4174 #endif 4175 #if IS_ENABLED(CONFIG_IPV6) 4176 struct sockaddr_in6 sadd; 4177 int proto; 4178 4179 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4180 family = PF_INET; 4181 #endif /* CONFIG_IPV6 */ 4182 4183 switch (family) { 4184 case PF_INET: 4185 /* 4186 * If there is a secmark use it rather than the CIPSO label. 4187 * If there is no secmark fall back to CIPSO. 4188 * The secmark is assumed to reflect policy better. 4189 */ 4190 skp = smack_from_skb(skb); 4191 if (skp == NULL) { 4192 skp = smack_from_netlbl(sk, family, skb); 4193 if (skp == NULL) 4194 skp = smack_net_ambient; 4195 } 4196 4197 #ifdef CONFIG_AUDIT 4198 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4199 ad.a.u.net->family = family; 4200 ad.a.u.net->netif = skb->skb_iif; 4201 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4202 #endif 4203 /* 4204 * Receiving a packet requires that the other end 4205 * be able to write here. Read access is not required. 4206 * This is the simplest possible security model 4207 * for networking. 4208 */ 4209 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4210 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4211 MAY_WRITE, rc); 4212 if (rc != 0) 4213 netlbl_skbuff_err(skb, family, rc, 0); 4214 break; 4215 #if IS_ENABLED(CONFIG_IPV6) 4216 case PF_INET6: 4217 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4218 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4219 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4220 break; 4221 #ifdef SMACK_IPV6_SECMARK_LABELING 4222 skp = smack_from_skb(skb); 4223 if (skp == NULL) { 4224 if (smk_ipv6_localhost(&sadd)) 4225 break; 4226 skp = smack_ipv6host_label(&sadd); 4227 if (skp == NULL) 4228 skp = smack_net_ambient; 4229 } 4230 #ifdef CONFIG_AUDIT 4231 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4232 ad.a.u.net->family = family; 4233 ad.a.u.net->netif = skb->skb_iif; 4234 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4235 #endif /* CONFIG_AUDIT */ 4236 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4237 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4238 MAY_WRITE, rc); 4239 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4240 #ifdef SMACK_IPV6_PORT_LABELING 4241 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4242 #endif /* SMACK_IPV6_PORT_LABELING */ 4243 if (rc != 0) 4244 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4245 ICMPV6_ADM_PROHIBITED, 0); 4246 break; 4247 #endif /* CONFIG_IPV6 */ 4248 } 4249 4250 return rc; 4251 } 4252 4253 /** 4254 * smack_socket_getpeersec_stream - pull in packet label 4255 * @sock: the socket 4256 * @optval: user's destination 4257 * @optlen: size thereof 4258 * @len: max thereof 4259 * 4260 * returns zero on success, an error code otherwise 4261 */ 4262 static int smack_socket_getpeersec_stream(struct socket *sock, 4263 sockptr_t optval, sockptr_t optlen, 4264 unsigned int len) 4265 { 4266 struct socket_smack *ssp; 4267 char *rcp = ""; 4268 u32 slen = 1; 4269 int rc = 0; 4270 4271 ssp = smack_sock(sock->sk); 4272 if (ssp->smk_packet != NULL) { 4273 rcp = ssp->smk_packet->smk_known; 4274 slen = strlen(rcp) + 1; 4275 } 4276 if (slen > len) { 4277 rc = -ERANGE; 4278 goto out_len; 4279 } 4280 4281 if (copy_to_sockptr(optval, rcp, slen)) 4282 rc = -EFAULT; 4283 out_len: 4284 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4285 rc = -EFAULT; 4286 return rc; 4287 } 4288 4289 4290 /** 4291 * smack_socket_getpeersec_dgram - pull in packet label 4292 * @sock: the peer socket 4293 * @skb: packet data 4294 * @secid: pointer to where to put the secid of the packet 4295 * 4296 * Sets the netlabel socket state on sk from parent 4297 */ 4298 static int smack_socket_getpeersec_dgram(struct socket *sock, 4299 struct sk_buff *skb, u32 *secid) 4300 4301 { 4302 struct socket_smack *ssp = NULL; 4303 struct smack_known *skp; 4304 struct sock *sk = NULL; 4305 int family = PF_UNSPEC; 4306 u32 s = 0; /* 0 is the invalid secid */ 4307 4308 if (skb != NULL) { 4309 if (skb->protocol == htons(ETH_P_IP)) 4310 family = PF_INET; 4311 #if IS_ENABLED(CONFIG_IPV6) 4312 else if (skb->protocol == htons(ETH_P_IPV6)) 4313 family = PF_INET6; 4314 #endif /* CONFIG_IPV6 */ 4315 } 4316 if (family == PF_UNSPEC && sock != NULL) 4317 family = sock->sk->sk_family; 4318 4319 switch (family) { 4320 case PF_UNIX: 4321 ssp = smack_sock(sock->sk); 4322 s = ssp->smk_out->smk_secid; 4323 break; 4324 case PF_INET: 4325 skp = smack_from_skb(skb); 4326 if (skp) { 4327 s = skp->smk_secid; 4328 break; 4329 } 4330 /* 4331 * Translate what netlabel gave us. 4332 */ 4333 if (sock != NULL) 4334 sk = sock->sk; 4335 skp = smack_from_netlbl(sk, family, skb); 4336 if (skp != NULL) 4337 s = skp->smk_secid; 4338 break; 4339 case PF_INET6: 4340 #ifdef SMACK_IPV6_SECMARK_LABELING 4341 skp = smack_from_skb(skb); 4342 if (skp) 4343 s = skp->smk_secid; 4344 #endif 4345 break; 4346 } 4347 *secid = s; 4348 if (s == 0) 4349 return -EINVAL; 4350 return 0; 4351 } 4352 4353 /** 4354 * smack_inet_conn_request - Smack access check on connect 4355 * @sk: socket involved 4356 * @skb: packet 4357 * @req: unused 4358 * 4359 * Returns 0 if a task with the packet label could write to 4360 * the socket, otherwise an error code 4361 */ 4362 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4363 struct request_sock *req) 4364 { 4365 u16 family = sk->sk_family; 4366 struct smack_known *skp; 4367 struct socket_smack *ssp = smack_sock(sk); 4368 struct sockaddr_in addr; 4369 struct iphdr *hdr; 4370 struct smack_known *hskp; 4371 int rc; 4372 struct smk_audit_info ad; 4373 #ifdef CONFIG_AUDIT 4374 struct lsm_network_audit net; 4375 #endif 4376 4377 #if IS_ENABLED(CONFIG_IPV6) 4378 if (family == PF_INET6) { 4379 /* 4380 * Handle mapped IPv4 packets arriving 4381 * via IPv6 sockets. Don't set up netlabel 4382 * processing on IPv6. 4383 */ 4384 if (skb->protocol == htons(ETH_P_IP)) 4385 family = PF_INET; 4386 else 4387 return 0; 4388 } 4389 #endif /* CONFIG_IPV6 */ 4390 4391 /* 4392 * If there is a secmark use it rather than the CIPSO label. 4393 * If there is no secmark fall back to CIPSO. 4394 * The secmark is assumed to reflect policy better. 4395 */ 4396 skp = smack_from_skb(skb); 4397 if (skp == NULL) { 4398 skp = smack_from_netlbl(sk, family, skb); 4399 if (skp == NULL) 4400 skp = &smack_known_huh; 4401 } 4402 4403 #ifdef CONFIG_AUDIT 4404 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4405 ad.a.u.net->family = family; 4406 ad.a.u.net->netif = skb->skb_iif; 4407 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4408 #endif 4409 /* 4410 * Receiving a packet requires that the other end be able to write 4411 * here. Read access is not required. 4412 */ 4413 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4414 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4415 if (rc != 0) 4416 return rc; 4417 4418 /* 4419 * Save the peer's label in the request_sock so we can later setup 4420 * smk_packet in the child socket so that SO_PEERCRED can report it. 4421 */ 4422 req->peer_secid = skp->smk_secid; 4423 4424 /* 4425 * We need to decide if we want to label the incoming connection here 4426 * if we do we only need to label the request_sock and the stack will 4427 * propagate the wire-label to the sock when it is created. 4428 */ 4429 hdr = ip_hdr(skb); 4430 addr.sin_addr.s_addr = hdr->saddr; 4431 rcu_read_lock(); 4432 hskp = smack_ipv4host_label(&addr); 4433 rcu_read_unlock(); 4434 4435 if (hskp == NULL) 4436 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4437 else 4438 netlbl_req_delattr(req); 4439 4440 return rc; 4441 } 4442 4443 /** 4444 * smack_inet_csk_clone - Copy the connection information to the new socket 4445 * @sk: the new socket 4446 * @req: the connection's request_sock 4447 * 4448 * Transfer the connection's peer label to the newly created socket. 4449 */ 4450 static void smack_inet_csk_clone(struct sock *sk, 4451 const struct request_sock *req) 4452 { 4453 struct socket_smack *ssp = smack_sock(sk); 4454 struct smack_known *skp; 4455 4456 if (req->peer_secid != 0) { 4457 skp = smack_from_secid(req->peer_secid); 4458 ssp->smk_packet = skp; 4459 } else 4460 ssp->smk_packet = NULL; 4461 } 4462 4463 /* 4464 * Key management security hooks 4465 * 4466 * Casey has not tested key support very heavily. 4467 * The permission check is most likely too restrictive. 4468 * If you care about keys please have a look. 4469 */ 4470 #ifdef CONFIG_KEYS 4471 4472 /** 4473 * smack_key_alloc - Set the key security blob 4474 * @key: object 4475 * @cred: the credentials to use 4476 * @flags: unused 4477 * 4478 * No allocation required 4479 * 4480 * Returns 0 4481 */ 4482 static int smack_key_alloc(struct key *key, const struct cred *cred, 4483 unsigned long flags) 4484 { 4485 struct smack_known **blob = smack_key(key); 4486 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4487 4488 *blob = skp; 4489 return 0; 4490 } 4491 4492 /** 4493 * smack_key_permission - Smack access on a key 4494 * @key_ref: gets to the object 4495 * @cred: the credentials to use 4496 * @need_perm: requested key permission 4497 * 4498 * Return 0 if the task has read and write to the object, 4499 * an error code otherwise 4500 */ 4501 static int smack_key_permission(key_ref_t key_ref, 4502 const struct cred *cred, 4503 enum key_need_perm need_perm) 4504 { 4505 struct smack_known **blob; 4506 struct smack_known *skp; 4507 struct key *keyp; 4508 struct smk_audit_info ad; 4509 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4510 int request = 0; 4511 int rc; 4512 4513 /* 4514 * Validate requested permissions 4515 */ 4516 switch (need_perm) { 4517 case KEY_NEED_READ: 4518 case KEY_NEED_SEARCH: 4519 case KEY_NEED_VIEW: 4520 request |= MAY_READ; 4521 break; 4522 case KEY_NEED_WRITE: 4523 case KEY_NEED_LINK: 4524 case KEY_NEED_SETATTR: 4525 request |= MAY_WRITE; 4526 break; 4527 case KEY_NEED_UNSPECIFIED: 4528 case KEY_NEED_UNLINK: 4529 case KEY_SYSADMIN_OVERRIDE: 4530 case KEY_AUTHTOKEN_OVERRIDE: 4531 case KEY_DEFER_PERM_CHECK: 4532 return 0; 4533 default: 4534 return -EINVAL; 4535 } 4536 4537 keyp = key_ref_to_ptr(key_ref); 4538 if (keyp == NULL) 4539 return -EINVAL; 4540 /* 4541 * If the key hasn't been initialized give it access so that 4542 * it may do so. 4543 */ 4544 blob = smack_key(keyp); 4545 skp = *blob; 4546 if (skp == NULL) 4547 return 0; 4548 /* 4549 * This should not occur 4550 */ 4551 if (tkp == NULL) 4552 return -EACCES; 4553 4554 if (smack_privileged(CAP_MAC_OVERRIDE)) 4555 return 0; 4556 4557 #ifdef CONFIG_AUDIT 4558 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4559 ad.a.u.key_struct.key = keyp->serial; 4560 ad.a.u.key_struct.key_desc = keyp->description; 4561 #endif 4562 rc = smk_access(tkp, skp, request, &ad); 4563 rc = smk_bu_note("key access", tkp, skp, request, rc); 4564 return rc; 4565 } 4566 4567 /* 4568 * smack_key_getsecurity - Smack label tagging the key 4569 * @key points to the key to be queried 4570 * @_buffer points to a pointer that should be set to point to the 4571 * resulting string (if no label or an error occurs). 4572 * Return the length of the string (including terminating NUL) or -ve if 4573 * an error. 4574 * May also return 0 (and a NULL buffer pointer) if there is no label. 4575 */ 4576 static int smack_key_getsecurity(struct key *key, char **_buffer) 4577 { 4578 struct smack_known **blob = smack_key(key); 4579 struct smack_known *skp = *blob; 4580 size_t length; 4581 char *copy; 4582 4583 if (skp == NULL) { 4584 *_buffer = NULL; 4585 return 0; 4586 } 4587 4588 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4589 if (copy == NULL) 4590 return -ENOMEM; 4591 length = strlen(copy) + 1; 4592 4593 *_buffer = copy; 4594 return length; 4595 } 4596 4597 4598 #ifdef CONFIG_KEY_NOTIFICATIONS 4599 /** 4600 * smack_watch_key - Smack access to watch a key for notifications. 4601 * @key: The key to be watched 4602 * 4603 * Return 0 if the @watch->cred has permission to read from the key object and 4604 * an error otherwise. 4605 */ 4606 static int smack_watch_key(struct key *key) 4607 { 4608 struct smk_audit_info ad; 4609 struct smack_known *tkp = smk_of_current(); 4610 struct smack_known **blob = smack_key(key); 4611 int rc; 4612 4613 /* 4614 * This should not occur 4615 */ 4616 if (tkp == NULL) 4617 return -EACCES; 4618 4619 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4620 return 0; 4621 4622 #ifdef CONFIG_AUDIT 4623 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4624 ad.a.u.key_struct.key = key->serial; 4625 ad.a.u.key_struct.key_desc = key->description; 4626 #endif 4627 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4628 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4629 return rc; 4630 } 4631 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4632 #endif /* CONFIG_KEYS */ 4633 4634 #ifdef CONFIG_WATCH_QUEUE 4635 /** 4636 * smack_post_notification - Smack access to post a notification to a queue 4637 * @w_cred: The credentials of the watcher. 4638 * @cred: The credentials of the event source (may be NULL). 4639 * @n: The notification message to be posted. 4640 */ 4641 static int smack_post_notification(const struct cred *w_cred, 4642 const struct cred *cred, 4643 struct watch_notification *n) 4644 { 4645 struct smk_audit_info ad; 4646 struct smack_known *subj, *obj; 4647 int rc; 4648 4649 /* Always let maintenance notifications through. */ 4650 if (n->type == WATCH_TYPE_META) 4651 return 0; 4652 4653 if (!cred) 4654 return 0; 4655 subj = smk_of_task(smack_cred(cred)); 4656 obj = smk_of_task(smack_cred(w_cred)); 4657 4658 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4659 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4660 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4661 return rc; 4662 } 4663 #endif /* CONFIG_WATCH_QUEUE */ 4664 4665 /* 4666 * Smack Audit hooks 4667 * 4668 * Audit requires a unique representation of each Smack specific 4669 * rule. This unique representation is used to distinguish the 4670 * object to be audited from remaining kernel objects and also 4671 * works as a glue between the audit hooks. 4672 * 4673 * Since repository entries are added but never deleted, we'll use 4674 * the smack_known label address related to the given audit rule as 4675 * the needed unique representation. This also better fits the smack 4676 * model where nearly everything is a label. 4677 */ 4678 #ifdef CONFIG_AUDIT 4679 4680 /** 4681 * smack_audit_rule_init - Initialize a smack audit rule 4682 * @field: audit rule fields given from user-space (audit.h) 4683 * @op: required testing operator (=, !=, >, <, ...) 4684 * @rulestr: smack label to be audited 4685 * @vrule: pointer to save our own audit rule representation 4686 * @gfp: type of the memory for the allocation 4687 * 4688 * Prepare to audit cases where (@field @op @rulestr) is true. 4689 * The label to be audited is created if necessary. 4690 */ 4691 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4692 gfp_t gfp) 4693 { 4694 struct smack_known *skp; 4695 char **rule = (char **)vrule; 4696 *rule = NULL; 4697 4698 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4699 return -EINVAL; 4700 4701 if (op != Audit_equal && op != Audit_not_equal) 4702 return -EINVAL; 4703 4704 skp = smk_import_entry(rulestr, 0); 4705 if (IS_ERR(skp)) 4706 return PTR_ERR(skp); 4707 4708 *rule = skp->smk_known; 4709 4710 return 0; 4711 } 4712 4713 /** 4714 * smack_audit_rule_known - Distinguish Smack audit rules 4715 * @krule: rule of interest, in Audit kernel representation format 4716 * 4717 * This is used to filter Smack rules from remaining Audit ones. 4718 * If it's proved that this rule belongs to us, the 4719 * audit_rule_match hook will be called to do the final judgement. 4720 */ 4721 static int smack_audit_rule_known(struct audit_krule *krule) 4722 { 4723 struct audit_field *f; 4724 int i; 4725 4726 for (i = 0; i < krule->field_count; i++) { 4727 f = &krule->fields[i]; 4728 4729 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4730 return 1; 4731 } 4732 4733 return 0; 4734 } 4735 4736 /** 4737 * smack_audit_rule_match - Audit given object ? 4738 * @prop: security id for identifying the object to test 4739 * @field: audit rule flags given from user-space 4740 * @op: required testing operator 4741 * @vrule: smack internal rule presentation 4742 * 4743 * The core Audit hook. It's used to take the decision of 4744 * whether to audit or not to audit a given object. 4745 */ 4746 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4747 void *vrule) 4748 { 4749 struct smack_known *skp = prop->smack.skp; 4750 char *rule = vrule; 4751 4752 if (unlikely(!rule)) { 4753 WARN_ONCE(1, "Smack: missing rule\n"); 4754 return -ENOENT; 4755 } 4756 4757 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4758 return 0; 4759 4760 /* 4761 * No need to do string comparisons. If a match occurs, 4762 * both pointers will point to the same smack_known 4763 * label. 4764 */ 4765 if (op == Audit_equal) 4766 return (rule == skp->smk_known); 4767 if (op == Audit_not_equal) 4768 return (rule != skp->smk_known); 4769 4770 return 0; 4771 } 4772 4773 /* 4774 * There is no need for a smack_audit_rule_free hook. 4775 * No memory was allocated. 4776 */ 4777 4778 #endif /* CONFIG_AUDIT */ 4779 4780 /** 4781 * smack_ismaclabel - check if xattr @name references a smack MAC label 4782 * @name: Full xattr name to check. 4783 */ 4784 static int smack_ismaclabel(const char *name) 4785 { 4786 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4787 } 4788 4789 /** 4790 * smack_to_secctx - fill a lsm_context 4791 * @skp: Smack label 4792 * @cp: destination 4793 * 4794 * Fill the passed @cp and return the length of the string 4795 */ 4796 static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4797 { 4798 int len = strlen(skp->smk_known); 4799 4800 if (cp) { 4801 cp->context = skp->smk_known; 4802 cp->len = len; 4803 cp->id = LSM_ID_SMACK; 4804 } 4805 return len; 4806 } 4807 4808 /** 4809 * smack_secid_to_secctx - return the smack label for a secid 4810 * @secid: incoming integer 4811 * @cp: destination 4812 * 4813 * Exists for networking code. 4814 */ 4815 static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4816 { 4817 return smack_to_secctx(smack_from_secid(secid), cp); 4818 } 4819 4820 /** 4821 * smack_lsmprop_to_secctx - return the smack label 4822 * @prop: includes incoming Smack data 4823 * @cp: destination 4824 * 4825 * Exists for audit code. 4826 */ 4827 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4828 struct lsm_context *cp) 4829 { 4830 return smack_to_secctx(prop->smack.skp, cp); 4831 } 4832 4833 /** 4834 * smack_secctx_to_secid - return the secid for a smack label 4835 * @secdata: smack label 4836 * @seclen: how long result is 4837 * @secid: outgoing integer 4838 * 4839 * Exists for audit and networking code. 4840 */ 4841 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4842 { 4843 struct smack_known *skp = smk_find_entry(secdata); 4844 4845 if (skp) 4846 *secid = skp->smk_secid; 4847 else 4848 *secid = 0; 4849 return 0; 4850 } 4851 4852 /* 4853 * There used to be a smack_release_secctx hook 4854 * that did nothing back when hooks were in a vector. 4855 * Now that there's a list such a hook adds cost. 4856 */ 4857 4858 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4859 { 4860 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4861 ctxlen, 0); 4862 } 4863 4864 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4865 { 4866 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4867 ctx, ctxlen, 0, NULL); 4868 } 4869 4870 static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4871 { 4872 struct smack_known *skp = smk_of_inode(inode); 4873 4874 cp->context = skp->smk_known; 4875 cp->len = strlen(skp->smk_known); 4876 cp->id = LSM_ID_SMACK; 4877 return 0; 4878 } 4879 4880 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4881 { 4882 4883 struct task_smack *tsp; 4884 struct smack_known *skp; 4885 struct inode_smack *isp; 4886 struct cred *new_creds = *new; 4887 4888 if (new_creds == NULL) { 4889 new_creds = prepare_creds(); 4890 if (new_creds == NULL) 4891 return -ENOMEM; 4892 } 4893 4894 tsp = smack_cred(new_creds); 4895 4896 /* 4897 * Get label from overlay inode and set it in create_sid 4898 */ 4899 isp = smack_inode(d_inode(dentry)); 4900 skp = isp->smk_inode; 4901 tsp->smk_task = skp; 4902 *new = new_creds; 4903 return 0; 4904 } 4905 4906 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4907 { 4908 /* 4909 * Return -ECANCELED if this is the smack access Smack attribute. 4910 */ 4911 if (!strcmp(name, XATTR_NAME_SMACK)) 4912 return -ECANCELED; 4913 4914 return -EOPNOTSUPP; 4915 } 4916 4917 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4918 struct qstr *name, 4919 const struct cred *old, 4920 struct cred *new) 4921 { 4922 struct task_smack *otsp = smack_cred(old); 4923 struct task_smack *ntsp = smack_cred(new); 4924 struct inode_smack *isp; 4925 int may; 4926 4927 /* 4928 * Use the process credential unless all of 4929 * the transmuting criteria are met 4930 */ 4931 ntsp->smk_task = otsp->smk_task; 4932 4933 /* 4934 * the attribute of the containing directory 4935 */ 4936 isp = smack_inode(d_inode(dentry->d_parent)); 4937 4938 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4939 rcu_read_lock(); 4940 may = smk_access_entry(otsp->smk_task->smk_known, 4941 isp->smk_inode->smk_known, 4942 &otsp->smk_task->smk_rules); 4943 rcu_read_unlock(); 4944 4945 /* 4946 * If the directory is transmuting and the rule 4947 * providing access is transmuting use the containing 4948 * directory label instead of the process label. 4949 */ 4950 if (may > 0 && (may & MAY_TRANSMUTE)) { 4951 ntsp->smk_task = isp->smk_inode; 4952 ntsp->smk_transmuted = ntsp->smk_task; 4953 } 4954 } 4955 return 0; 4956 } 4957 4958 #ifdef CONFIG_IO_URING 4959 /** 4960 * smack_uring_override_creds - Is io_uring cred override allowed? 4961 * @new: the target creds 4962 * 4963 * Check to see if the current task is allowed to override it's credentials 4964 * to service an io_uring operation. 4965 */ 4966 static int smack_uring_override_creds(const struct cred *new) 4967 { 4968 struct task_smack *tsp = smack_cred(current_cred()); 4969 struct task_smack *nsp = smack_cred(new); 4970 4971 /* 4972 * Allow the degenerate case where the new Smack value is 4973 * the same as the current Smack value. 4974 */ 4975 if (tsp->smk_task == nsp->smk_task) 4976 return 0; 4977 4978 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4979 return 0; 4980 4981 return -EPERM; 4982 } 4983 4984 /** 4985 * smack_uring_sqpoll - check if a io_uring polling thread can be created 4986 * 4987 * Check to see if the current task is allowed to create a new io_uring 4988 * kernel polling thread. 4989 */ 4990 static int smack_uring_sqpoll(void) 4991 { 4992 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4993 return 0; 4994 4995 return -EPERM; 4996 } 4997 4998 /** 4999 * smack_uring_cmd - check on file operations for io_uring 5000 * @ioucmd: the command in question 5001 * 5002 * Make a best guess about whether a io_uring "command" should 5003 * be allowed. Use the same logic used for determining if the 5004 * file could be opened for read in the absence of better criteria. 5005 */ 5006 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5007 { 5008 struct file *file = ioucmd->file; 5009 struct smk_audit_info ad; 5010 struct task_smack *tsp; 5011 struct inode *inode; 5012 int rc; 5013 5014 if (!file) 5015 return -EINVAL; 5016 5017 tsp = smack_cred(file->f_cred); 5018 inode = file_inode(file); 5019 5020 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5021 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5022 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5023 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5024 5025 return rc; 5026 } 5027 5028 #endif /* CONFIG_IO_URING */ 5029 5030 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5031 .lbs_cred = sizeof(struct task_smack), 5032 .lbs_file = sizeof(struct smack_known *), 5033 .lbs_inode = sizeof(struct inode_smack), 5034 .lbs_ipc = sizeof(struct smack_known *), 5035 .lbs_key = sizeof(struct smack_known *), 5036 .lbs_msg_msg = sizeof(struct smack_known *), 5037 .lbs_sock = sizeof(struct socket_smack), 5038 .lbs_superblock = sizeof(struct superblock_smack), 5039 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5040 }; 5041 5042 static const struct lsm_id smack_lsmid = { 5043 .name = "smack", 5044 .id = LSM_ID_SMACK, 5045 }; 5046 5047 static struct security_hook_list smack_hooks[] __ro_after_init = { 5048 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5049 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5050 LSM_HOOK_INIT(syslog, smack_syslog), 5051 5052 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5053 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5054 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5055 5056 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5057 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5058 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5059 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5060 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5061 5062 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5063 5064 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5065 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5066 LSM_HOOK_INIT(inode_link, smack_inode_link), 5067 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5068 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5069 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5070 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5071 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5072 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5073 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5074 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5075 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5076 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5077 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5078 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5079 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5080 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5081 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5082 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5083 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5084 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5085 5086 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5087 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5088 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5089 LSM_HOOK_INIT(file_lock, smack_file_lock), 5090 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5091 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5092 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5093 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5094 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5095 LSM_HOOK_INIT(file_receive, smack_file_receive), 5096 5097 LSM_HOOK_INIT(file_open, smack_file_open), 5098 5099 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5100 LSM_HOOK_INIT(cred_free, smack_cred_free), 5101 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5102 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5103 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5104 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5105 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5106 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5107 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5108 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5109 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5110 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5111 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5112 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5113 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5114 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5115 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5116 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5117 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5118 LSM_HOOK_INIT(task_kill, smack_task_kill), 5119 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5120 5121 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5122 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5123 5124 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5125 5126 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5127 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5128 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5129 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5130 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5131 5132 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5133 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5134 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5135 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5136 5137 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5138 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5139 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5140 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5141 5142 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5143 5144 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5145 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5146 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5147 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5148 5149 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5150 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5151 5152 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5153 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5154 #ifdef SMACK_IPV6_PORT_LABELING 5155 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5156 #endif 5157 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5158 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5159 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5160 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5161 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5162 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5163 #ifdef SMACK_IPV6_PORT_LABELING 5164 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5165 #endif 5166 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5167 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5168 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5169 5170 /* key management security hooks */ 5171 #ifdef CONFIG_KEYS 5172 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5173 LSM_HOOK_INIT(key_permission, smack_key_permission), 5174 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5175 #ifdef CONFIG_KEY_NOTIFICATIONS 5176 LSM_HOOK_INIT(watch_key, smack_watch_key), 5177 #endif 5178 #endif /* CONFIG_KEYS */ 5179 5180 #ifdef CONFIG_WATCH_QUEUE 5181 LSM_HOOK_INIT(post_notification, smack_post_notification), 5182 #endif 5183 5184 /* Audit hooks */ 5185 #ifdef CONFIG_AUDIT 5186 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5187 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5188 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5189 #endif /* CONFIG_AUDIT */ 5190 5191 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5192 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5193 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5194 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5195 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5196 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5197 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5198 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5199 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5200 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5201 #ifdef CONFIG_IO_URING 5202 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5203 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5204 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5205 #endif 5206 }; 5207 5208 5209 static __init void init_smack_known_list(void) 5210 { 5211 /* 5212 * Initialize rule list locks 5213 */ 5214 mutex_init(&smack_known_huh.smk_rules_lock); 5215 mutex_init(&smack_known_hat.smk_rules_lock); 5216 mutex_init(&smack_known_floor.smk_rules_lock); 5217 mutex_init(&smack_known_star.smk_rules_lock); 5218 mutex_init(&smack_known_web.smk_rules_lock); 5219 /* 5220 * Initialize rule lists 5221 */ 5222 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5223 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5224 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5225 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5226 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5227 /* 5228 * Create the known labels list 5229 */ 5230 smk_insert_entry(&smack_known_huh); 5231 smk_insert_entry(&smack_known_hat); 5232 smk_insert_entry(&smack_known_star); 5233 smk_insert_entry(&smack_known_floor); 5234 smk_insert_entry(&smack_known_web); 5235 } 5236 5237 /** 5238 * smack_init - initialize the smack system 5239 * 5240 * Returns 0 on success, -ENOMEM is there's no memory 5241 */ 5242 static __init int smack_init(void) 5243 { 5244 struct cred *cred = (struct cred *) current->cred; 5245 struct task_smack *tsp; 5246 5247 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5248 if (!smack_rule_cache) 5249 return -ENOMEM; 5250 5251 /* 5252 * Set the security state for the initial task. 5253 */ 5254 tsp = smack_cred(cred); 5255 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5256 5257 /* 5258 * Register with LSM 5259 */ 5260 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5261 smack_enabled = 1; 5262 5263 pr_info("Smack: Initializing.\n"); 5264 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5265 pr_info("Smack: Netfilter enabled.\n"); 5266 #endif 5267 #ifdef SMACK_IPV6_PORT_LABELING 5268 pr_info("Smack: IPv6 port labeling enabled.\n"); 5269 #endif 5270 #ifdef SMACK_IPV6_SECMARK_LABELING 5271 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5272 #endif 5273 5274 /* initialize the smack_known_list */ 5275 init_smack_known_list(); 5276 5277 return 0; 5278 } 5279 5280 /* 5281 * Smack requires early initialization in order to label 5282 * all processes and objects when they are created. 5283 */ 5284 DEFINE_LSM(smack) = { 5285 .name = "smack", 5286 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5287 .blobs = &smack_blob_sizes, 5288 .init = smack_init, 5289 }; 5290