1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file->f_inode; 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (ip->i_op->getxattr == NULL) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 mutex_init(&tsp->smk_rules_lock); 330 331 return tsp; 332 } 333 334 /** 335 * smk_copy_rules - copy a rule set 336 * @nhead: new rules header pointer 337 * @ohead: old rules header pointer 338 * @gfp: type of the memory for the allocation 339 * 340 * Returns 0 on success, -ENOMEM on error 341 */ 342 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 343 gfp_t gfp) 344 { 345 struct smack_rule *nrp; 346 struct smack_rule *orp; 347 int rc = 0; 348 349 INIT_LIST_HEAD(nhead); 350 351 list_for_each_entry_rcu(orp, ohead, list) { 352 nrp = kzalloc(sizeof(struct smack_rule), gfp); 353 if (nrp == NULL) { 354 rc = -ENOMEM; 355 break; 356 } 357 *nrp = *orp; 358 list_add_rcu(&nrp->list, nhead); 359 } 360 return rc; 361 } 362 363 /** 364 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 365 * @mode - input mode in form of PTRACE_MODE_* 366 * 367 * Returns a converted MAY_* mode usable by smack rules 368 */ 369 static inline unsigned int smk_ptrace_mode(unsigned int mode) 370 { 371 switch (mode) { 372 case PTRACE_MODE_READ: 373 return MAY_READ; 374 case PTRACE_MODE_ATTACH: 375 return MAY_READWRITE; 376 } 377 378 return 0; 379 } 380 381 /** 382 * smk_ptrace_rule_check - helper for ptrace access 383 * @tracer: tracer process 384 * @tracee_known: label entry of the process that's about to be traced 385 * @mode: ptrace attachment mode (PTRACE_MODE_*) 386 * @func: name of the function that called us, used for audit 387 * 388 * Returns 0 on access granted, -error on error 389 */ 390 static int smk_ptrace_rule_check(struct task_struct *tracer, 391 struct smack_known *tracee_known, 392 unsigned int mode, const char *func) 393 { 394 int rc; 395 struct smk_audit_info ad, *saip = NULL; 396 struct task_smack *tsp; 397 struct smack_known *tracer_known; 398 399 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 400 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 401 smk_ad_setfield_u_tsk(&ad, tracer); 402 saip = &ad; 403 } 404 405 rcu_read_lock(); 406 tsp = __task_cred(tracer)->security; 407 tracer_known = smk_of_task(tsp); 408 409 if ((mode & PTRACE_MODE_ATTACH) && 410 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 411 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 412 if (tracer_known->smk_known == tracee_known->smk_known) 413 rc = 0; 414 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 415 rc = -EACCES; 416 else if (capable(CAP_SYS_PTRACE)) 417 rc = 0; 418 else 419 rc = -EACCES; 420 421 if (saip) 422 smack_log(tracer_known->smk_known, 423 tracee_known->smk_known, 424 0, rc, saip); 425 426 rcu_read_unlock(); 427 return rc; 428 } 429 430 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 431 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 432 433 rcu_read_unlock(); 434 return rc; 435 } 436 437 /* 438 * LSM hooks. 439 * We he, that is fun! 440 */ 441 442 /** 443 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 444 * @ctp: child task pointer 445 * @mode: ptrace attachment mode (PTRACE_MODE_*) 446 * 447 * Returns 0 if access is OK, an error code otherwise 448 * 449 * Do the capability checks. 450 */ 451 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 452 { 453 struct smack_known *skp; 454 455 skp = smk_of_task_struct(ctp); 456 457 return smk_ptrace_rule_check(current, skp, mode, __func__); 458 } 459 460 /** 461 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 462 * @ptp: parent task pointer 463 * 464 * Returns 0 if access is OK, an error code otherwise 465 * 466 * Do the capability checks, and require PTRACE_MODE_ATTACH. 467 */ 468 static int smack_ptrace_traceme(struct task_struct *ptp) 469 { 470 int rc; 471 struct smack_known *skp; 472 473 skp = smk_of_task(current_security()); 474 475 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 476 return rc; 477 } 478 479 /** 480 * smack_syslog - Smack approval on syslog 481 * @type: message type 482 * 483 * Returns 0 on success, error code otherwise. 484 */ 485 static int smack_syslog(int typefrom_file) 486 { 487 int rc = 0; 488 struct smack_known *skp = smk_of_current(); 489 490 if (smack_privileged(CAP_MAC_OVERRIDE)) 491 return 0; 492 493 if (smack_syslog_label != NULL && smack_syslog_label != skp) 494 rc = -EACCES; 495 496 return rc; 497 } 498 499 500 /* 501 * Superblock Hooks. 502 */ 503 504 /** 505 * smack_sb_alloc_security - allocate a superblock blob 506 * @sb: the superblock getting the blob 507 * 508 * Returns 0 on success or -ENOMEM on error. 509 */ 510 static int smack_sb_alloc_security(struct super_block *sb) 511 { 512 struct superblock_smack *sbsp; 513 514 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 515 516 if (sbsp == NULL) 517 return -ENOMEM; 518 519 sbsp->smk_root = &smack_known_floor; 520 sbsp->smk_default = &smack_known_floor; 521 sbsp->smk_floor = &smack_known_floor; 522 sbsp->smk_hat = &smack_known_hat; 523 /* 524 * smk_initialized will be zero from kzalloc. 525 */ 526 sb->s_security = sbsp; 527 528 return 0; 529 } 530 531 /** 532 * smack_sb_free_security - free a superblock blob 533 * @sb: the superblock getting the blob 534 * 535 */ 536 static void smack_sb_free_security(struct super_block *sb) 537 { 538 kfree(sb->s_security); 539 sb->s_security = NULL; 540 } 541 542 /** 543 * smack_sb_copy_data - copy mount options data for processing 544 * @orig: where to start 545 * @smackopts: mount options string 546 * 547 * Returns 0 on success or -ENOMEM on error. 548 * 549 * Copy the Smack specific mount options out of the mount 550 * options list. 551 */ 552 static int smack_sb_copy_data(char *orig, char *smackopts) 553 { 554 char *cp, *commap, *otheropts, *dp; 555 556 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 557 if (otheropts == NULL) 558 return -ENOMEM; 559 560 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 561 if (strstr(cp, SMK_FSDEFAULT) == cp) 562 dp = smackopts; 563 else if (strstr(cp, SMK_FSFLOOR) == cp) 564 dp = smackopts; 565 else if (strstr(cp, SMK_FSHAT) == cp) 566 dp = smackopts; 567 else if (strstr(cp, SMK_FSROOT) == cp) 568 dp = smackopts; 569 else if (strstr(cp, SMK_FSTRANS) == cp) 570 dp = smackopts; 571 else 572 dp = otheropts; 573 574 commap = strchr(cp, ','); 575 if (commap != NULL) 576 *commap = '\0'; 577 578 if (*dp != '\0') 579 strcat(dp, ","); 580 strcat(dp, cp); 581 } 582 583 strcpy(orig, otheropts); 584 free_page((unsigned long)otheropts); 585 586 return 0; 587 } 588 589 /** 590 * smack_parse_opts_str - parse Smack specific mount options 591 * @options: mount options string 592 * @opts: where to store converted mount opts 593 * 594 * Returns 0 on success or -ENOMEM on error. 595 * 596 * converts Smack specific mount options to generic security option format 597 */ 598 static int smack_parse_opts_str(char *options, 599 struct security_mnt_opts *opts) 600 { 601 char *p; 602 char *fsdefault = NULL; 603 char *fsfloor = NULL; 604 char *fshat = NULL; 605 char *fsroot = NULL; 606 char *fstransmute = NULL; 607 int rc = -ENOMEM; 608 int num_mnt_opts = 0; 609 int token; 610 611 opts->num_mnt_opts = 0; 612 613 if (!options) 614 return 0; 615 616 while ((p = strsep(&options, ",")) != NULL) { 617 substring_t args[MAX_OPT_ARGS]; 618 619 if (!*p) 620 continue; 621 622 token = match_token(p, smk_mount_tokens, args); 623 624 switch (token) { 625 case Opt_fsdefault: 626 if (fsdefault) 627 goto out_opt_err; 628 fsdefault = match_strdup(&args[0]); 629 if (!fsdefault) 630 goto out_err; 631 break; 632 case Opt_fsfloor: 633 if (fsfloor) 634 goto out_opt_err; 635 fsfloor = match_strdup(&args[0]); 636 if (!fsfloor) 637 goto out_err; 638 break; 639 case Opt_fshat: 640 if (fshat) 641 goto out_opt_err; 642 fshat = match_strdup(&args[0]); 643 if (!fshat) 644 goto out_err; 645 break; 646 case Opt_fsroot: 647 if (fsroot) 648 goto out_opt_err; 649 fsroot = match_strdup(&args[0]); 650 if (!fsroot) 651 goto out_err; 652 break; 653 case Opt_fstransmute: 654 if (fstransmute) 655 goto out_opt_err; 656 fstransmute = match_strdup(&args[0]); 657 if (!fstransmute) 658 goto out_err; 659 break; 660 default: 661 rc = -EINVAL; 662 pr_warn("Smack: unknown mount option\n"); 663 goto out_err; 664 } 665 } 666 667 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 668 if (!opts->mnt_opts) 669 goto out_err; 670 671 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 672 GFP_ATOMIC); 673 if (!opts->mnt_opts_flags) { 674 kfree(opts->mnt_opts); 675 goto out_err; 676 } 677 678 if (fsdefault) { 679 opts->mnt_opts[num_mnt_opts] = fsdefault; 680 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 681 } 682 if (fsfloor) { 683 opts->mnt_opts[num_mnt_opts] = fsfloor; 684 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 685 } 686 if (fshat) { 687 opts->mnt_opts[num_mnt_opts] = fshat; 688 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 689 } 690 if (fsroot) { 691 opts->mnt_opts[num_mnt_opts] = fsroot; 692 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 693 } 694 if (fstransmute) { 695 opts->mnt_opts[num_mnt_opts] = fstransmute; 696 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 697 } 698 699 opts->num_mnt_opts = num_mnt_opts; 700 return 0; 701 702 out_opt_err: 703 rc = -EINVAL; 704 pr_warn("Smack: duplicate mount options\n"); 705 706 out_err: 707 kfree(fsdefault); 708 kfree(fsfloor); 709 kfree(fshat); 710 kfree(fsroot); 711 kfree(fstransmute); 712 return rc; 713 } 714 715 /** 716 * smack_set_mnt_opts - set Smack specific mount options 717 * @sb: the file system superblock 718 * @opts: Smack mount options 719 * @kern_flags: mount option from kernel space or user space 720 * @set_kern_flags: where to store converted mount opts 721 * 722 * Returns 0 on success, an error code on failure 723 * 724 * Allow filesystems with binary mount data to explicitly set Smack mount 725 * labels. 726 */ 727 static int smack_set_mnt_opts(struct super_block *sb, 728 struct security_mnt_opts *opts, 729 unsigned long kern_flags, 730 unsigned long *set_kern_flags) 731 { 732 struct dentry *root = sb->s_root; 733 struct inode *inode = d_backing_inode(root); 734 struct superblock_smack *sp = sb->s_security; 735 struct inode_smack *isp; 736 struct smack_known *skp; 737 int i; 738 int num_opts = opts->num_mnt_opts; 739 int transmute = 0; 740 741 if (sp->smk_initialized) 742 return 0; 743 744 sp->smk_initialized = 1; 745 746 for (i = 0; i < num_opts; i++) { 747 switch (opts->mnt_opts_flags[i]) { 748 case FSDEFAULT_MNT: 749 skp = smk_import_entry(opts->mnt_opts[i], 0); 750 if (IS_ERR(skp)) 751 return PTR_ERR(skp); 752 sp->smk_default = skp; 753 break; 754 case FSFLOOR_MNT: 755 skp = smk_import_entry(opts->mnt_opts[i], 0); 756 if (IS_ERR(skp)) 757 return PTR_ERR(skp); 758 sp->smk_floor = skp; 759 break; 760 case FSHAT_MNT: 761 skp = smk_import_entry(opts->mnt_opts[i], 0); 762 if (IS_ERR(skp)) 763 return PTR_ERR(skp); 764 sp->smk_hat = skp; 765 break; 766 case FSROOT_MNT: 767 skp = smk_import_entry(opts->mnt_opts[i], 0); 768 if (IS_ERR(skp)) 769 return PTR_ERR(skp); 770 sp->smk_root = skp; 771 break; 772 case FSTRANS_MNT: 773 skp = smk_import_entry(opts->mnt_opts[i], 0); 774 if (IS_ERR(skp)) 775 return PTR_ERR(skp); 776 sp->smk_root = skp; 777 transmute = 1; 778 break; 779 default: 780 break; 781 } 782 } 783 784 if (!smack_privileged(CAP_MAC_ADMIN)) { 785 /* 786 * Unprivileged mounts don't get to specify Smack values. 787 */ 788 if (num_opts) 789 return -EPERM; 790 /* 791 * Unprivileged mounts get root and default from the caller. 792 */ 793 skp = smk_of_current(); 794 sp->smk_root = skp; 795 sp->smk_default = skp; 796 } 797 798 /* 799 * Initialize the root inode. 800 */ 801 isp = inode->i_security; 802 if (isp == NULL) { 803 isp = new_inode_smack(sp->smk_root); 804 if (isp == NULL) 805 return -ENOMEM; 806 inode->i_security = isp; 807 } else 808 isp->smk_inode = sp->smk_root; 809 810 if (transmute) 811 isp->smk_flags |= SMK_INODE_TRANSMUTE; 812 813 return 0; 814 } 815 816 /** 817 * smack_sb_kern_mount - Smack specific mount processing 818 * @sb: the file system superblock 819 * @flags: the mount flags 820 * @data: the smack mount options 821 * 822 * Returns 0 on success, an error code on failure 823 */ 824 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 825 { 826 int rc = 0; 827 char *options = data; 828 struct security_mnt_opts opts; 829 830 security_init_mnt_opts(&opts); 831 832 if (!options) 833 goto out; 834 835 rc = smack_parse_opts_str(options, &opts); 836 if (rc) 837 goto out_err; 838 839 out: 840 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 841 842 out_err: 843 security_free_mnt_opts(&opts); 844 return rc; 845 } 846 847 /** 848 * smack_sb_statfs - Smack check on statfs 849 * @dentry: identifies the file system in question 850 * 851 * Returns 0 if current can read the floor of the filesystem, 852 * and error code otherwise 853 */ 854 static int smack_sb_statfs(struct dentry *dentry) 855 { 856 struct superblock_smack *sbp = dentry->d_sb->s_security; 857 int rc; 858 struct smk_audit_info ad; 859 860 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 861 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 862 863 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 864 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 865 return rc; 866 } 867 868 /* 869 * BPRM hooks 870 */ 871 872 /** 873 * smack_bprm_set_creds - set creds for exec 874 * @bprm: the exec information 875 * 876 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 877 */ 878 static int smack_bprm_set_creds(struct linux_binprm *bprm) 879 { 880 struct inode *inode = file_inode(bprm->file); 881 struct task_smack *bsp = bprm->cred->security; 882 struct inode_smack *isp; 883 int rc; 884 885 if (bprm->cred_prepared) 886 return 0; 887 888 isp = inode->i_security; 889 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 890 return 0; 891 892 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 893 struct task_struct *tracer; 894 rc = 0; 895 896 rcu_read_lock(); 897 tracer = ptrace_parent(current); 898 if (likely(tracer != NULL)) 899 rc = smk_ptrace_rule_check(tracer, 900 isp->smk_task, 901 PTRACE_MODE_ATTACH, 902 __func__); 903 rcu_read_unlock(); 904 905 if (rc != 0) 906 return rc; 907 } else if (bprm->unsafe) 908 return -EPERM; 909 910 bsp->smk_task = isp->smk_task; 911 bprm->per_clear |= PER_CLEAR_ON_SETID; 912 913 return 0; 914 } 915 916 /** 917 * smack_bprm_committing_creds - Prepare to install the new credentials 918 * from bprm. 919 * 920 * @bprm: binprm for exec 921 */ 922 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 923 { 924 struct task_smack *bsp = bprm->cred->security; 925 926 if (bsp->smk_task != bsp->smk_forked) 927 current->pdeath_signal = 0; 928 } 929 930 /** 931 * smack_bprm_secureexec - Return the decision to use secureexec. 932 * @bprm: binprm for exec 933 * 934 * Returns 0 on success. 935 */ 936 static int smack_bprm_secureexec(struct linux_binprm *bprm) 937 { 938 struct task_smack *tsp = current_security(); 939 940 if (tsp->smk_task != tsp->smk_forked) 941 return 1; 942 943 return 0; 944 } 945 946 /* 947 * Inode hooks 948 */ 949 950 /** 951 * smack_inode_alloc_security - allocate an inode blob 952 * @inode: the inode in need of a blob 953 * 954 * Returns 0 if it gets a blob, -ENOMEM otherwise 955 */ 956 static int smack_inode_alloc_security(struct inode *inode) 957 { 958 struct smack_known *skp = smk_of_current(); 959 960 inode->i_security = new_inode_smack(skp); 961 if (inode->i_security == NULL) 962 return -ENOMEM; 963 return 0; 964 } 965 966 /** 967 * smack_inode_free_security - free an inode blob 968 * @inode: the inode with a blob 969 * 970 * Clears the blob pointer in inode 971 */ 972 static void smack_inode_free_security(struct inode *inode) 973 { 974 kmem_cache_free(smack_inode_cache, inode->i_security); 975 inode->i_security = NULL; 976 } 977 978 /** 979 * smack_inode_init_security - copy out the smack from an inode 980 * @inode: the newly created inode 981 * @dir: containing directory object 982 * @qstr: unused 983 * @name: where to put the attribute name 984 * @value: where to put the attribute value 985 * @len: where to put the length of the attribute 986 * 987 * Returns 0 if it all works out, -ENOMEM if there's no memory 988 */ 989 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 990 const struct qstr *qstr, const char **name, 991 void **value, size_t *len) 992 { 993 struct inode_smack *issp = inode->i_security; 994 struct smack_known *skp = smk_of_current(); 995 struct smack_known *isp = smk_of_inode(inode); 996 struct smack_known *dsp = smk_of_inode(dir); 997 int may; 998 999 if (name) 1000 *name = XATTR_SMACK_SUFFIX; 1001 1002 if (value && len) { 1003 rcu_read_lock(); 1004 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1005 &skp->smk_rules); 1006 rcu_read_unlock(); 1007 1008 /* 1009 * If the access rule allows transmutation and 1010 * the directory requests transmutation then 1011 * by all means transmute. 1012 * Mark the inode as changed. 1013 */ 1014 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1015 smk_inode_transmutable(dir)) { 1016 isp = dsp; 1017 issp->smk_flags |= SMK_INODE_CHANGED; 1018 } 1019 1020 *value = kstrdup(isp->smk_known, GFP_NOFS); 1021 if (*value == NULL) 1022 return -ENOMEM; 1023 1024 *len = strlen(isp->smk_known); 1025 } 1026 1027 return 0; 1028 } 1029 1030 /** 1031 * smack_inode_link - Smack check on link 1032 * @old_dentry: the existing object 1033 * @dir: unused 1034 * @new_dentry: the new object 1035 * 1036 * Returns 0 if access is permitted, an error code otherwise 1037 */ 1038 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1039 struct dentry *new_dentry) 1040 { 1041 struct smack_known *isp; 1042 struct smk_audit_info ad; 1043 int rc; 1044 1045 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1046 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1047 1048 isp = smk_of_inode(d_backing_inode(old_dentry)); 1049 rc = smk_curacc(isp, MAY_WRITE, &ad); 1050 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1051 1052 if (rc == 0 && d_is_positive(new_dentry)) { 1053 isp = smk_of_inode(d_backing_inode(new_dentry)); 1054 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1055 rc = smk_curacc(isp, MAY_WRITE, &ad); 1056 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1057 } 1058 1059 return rc; 1060 } 1061 1062 /** 1063 * smack_inode_unlink - Smack check on inode deletion 1064 * @dir: containing directory object 1065 * @dentry: file to unlink 1066 * 1067 * Returns 0 if current can write the containing directory 1068 * and the object, error code otherwise 1069 */ 1070 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1071 { 1072 struct inode *ip = d_backing_inode(dentry); 1073 struct smk_audit_info ad; 1074 int rc; 1075 1076 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1077 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1078 1079 /* 1080 * You need write access to the thing you're unlinking 1081 */ 1082 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1083 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1084 if (rc == 0) { 1085 /* 1086 * You also need write access to the containing directory 1087 */ 1088 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1089 smk_ad_setfield_u_fs_inode(&ad, dir); 1090 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1091 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1092 } 1093 return rc; 1094 } 1095 1096 /** 1097 * smack_inode_rmdir - Smack check on directory deletion 1098 * @dir: containing directory object 1099 * @dentry: directory to unlink 1100 * 1101 * Returns 0 if current can write the containing directory 1102 * and the directory, error code otherwise 1103 */ 1104 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1105 { 1106 struct smk_audit_info ad; 1107 int rc; 1108 1109 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1110 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1111 1112 /* 1113 * You need write access to the thing you're removing 1114 */ 1115 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1116 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1117 if (rc == 0) { 1118 /* 1119 * You also need write access to the containing directory 1120 */ 1121 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1122 smk_ad_setfield_u_fs_inode(&ad, dir); 1123 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1124 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1125 } 1126 1127 return rc; 1128 } 1129 1130 /** 1131 * smack_inode_rename - Smack check on rename 1132 * @old_inode: unused 1133 * @old_dentry: the old object 1134 * @new_inode: unused 1135 * @new_dentry: the new object 1136 * 1137 * Read and write access is required on both the old and 1138 * new directories. 1139 * 1140 * Returns 0 if access is permitted, an error code otherwise 1141 */ 1142 static int smack_inode_rename(struct inode *old_inode, 1143 struct dentry *old_dentry, 1144 struct inode *new_inode, 1145 struct dentry *new_dentry) 1146 { 1147 int rc; 1148 struct smack_known *isp; 1149 struct smk_audit_info ad; 1150 1151 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1152 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1153 1154 isp = smk_of_inode(d_backing_inode(old_dentry)); 1155 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1156 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1157 1158 if (rc == 0 && d_is_positive(new_dentry)) { 1159 isp = smk_of_inode(d_backing_inode(new_dentry)); 1160 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1161 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1162 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1163 } 1164 return rc; 1165 } 1166 1167 /** 1168 * smack_inode_permission - Smack version of permission() 1169 * @inode: the inode in question 1170 * @mask: the access requested 1171 * 1172 * This is the important Smack hook. 1173 * 1174 * Returns 0 if access is permitted, -EACCES otherwise 1175 */ 1176 static int smack_inode_permission(struct inode *inode, int mask) 1177 { 1178 struct smk_audit_info ad; 1179 int no_block = mask & MAY_NOT_BLOCK; 1180 int rc; 1181 1182 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1183 /* 1184 * No permission to check. Existence test. Yup, it's there. 1185 */ 1186 if (mask == 0) 1187 return 0; 1188 1189 /* May be droppable after audit */ 1190 if (no_block) 1191 return -ECHILD; 1192 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1193 smk_ad_setfield_u_fs_inode(&ad, inode); 1194 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1195 rc = smk_bu_inode(inode, mask, rc); 1196 return rc; 1197 } 1198 1199 /** 1200 * smack_inode_setattr - Smack check for setting attributes 1201 * @dentry: the object 1202 * @iattr: for the force flag 1203 * 1204 * Returns 0 if access is permitted, an error code otherwise 1205 */ 1206 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1207 { 1208 struct smk_audit_info ad; 1209 int rc; 1210 1211 /* 1212 * Need to allow for clearing the setuid bit. 1213 */ 1214 if (iattr->ia_valid & ATTR_FORCE) 1215 return 0; 1216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1217 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1218 1219 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1220 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1221 return rc; 1222 } 1223 1224 /** 1225 * smack_inode_getattr - Smack check for getting attributes 1226 * @mnt: vfsmount of the object 1227 * @dentry: the object 1228 * 1229 * Returns 0 if access is permitted, an error code otherwise 1230 */ 1231 static int smack_inode_getattr(const struct path *path) 1232 { 1233 struct smk_audit_info ad; 1234 struct inode *inode = d_backing_inode(path->dentry); 1235 int rc; 1236 1237 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1238 smk_ad_setfield_u_fs_path(&ad, *path); 1239 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1240 rc = smk_bu_inode(inode, MAY_READ, rc); 1241 return rc; 1242 } 1243 1244 /** 1245 * smack_inode_setxattr - Smack check for setting xattrs 1246 * @dentry: the object 1247 * @name: name of the attribute 1248 * @value: value of the attribute 1249 * @size: size of the value 1250 * @flags: unused 1251 * 1252 * This protects the Smack attribute explicitly. 1253 * 1254 * Returns 0 if access is permitted, an error code otherwise 1255 */ 1256 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1257 const void *value, size_t size, int flags) 1258 { 1259 struct smk_audit_info ad; 1260 struct smack_known *skp; 1261 int check_priv = 0; 1262 int check_import = 0; 1263 int check_star = 0; 1264 int rc = 0; 1265 1266 /* 1267 * Check label validity here so import won't fail in post_setxattr 1268 */ 1269 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1270 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1271 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1272 check_priv = 1; 1273 check_import = 1; 1274 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1275 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1276 check_priv = 1; 1277 check_import = 1; 1278 check_star = 1; 1279 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1280 check_priv = 1; 1281 if (size != TRANS_TRUE_SIZE || 1282 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1283 rc = -EINVAL; 1284 } else 1285 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1286 1287 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1288 rc = -EPERM; 1289 1290 if (rc == 0 && check_import) { 1291 skp = size ? smk_import_entry(value, size) : NULL; 1292 if (IS_ERR(skp)) 1293 rc = PTR_ERR(skp); 1294 else if (skp == NULL || (check_star && 1295 (skp == &smack_known_star || skp == &smack_known_web))) 1296 rc = -EINVAL; 1297 } 1298 1299 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1300 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1301 1302 if (rc == 0) { 1303 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1304 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1305 } 1306 1307 return rc; 1308 } 1309 1310 /** 1311 * smack_inode_post_setxattr - Apply the Smack update approved above 1312 * @dentry: object 1313 * @name: attribute name 1314 * @value: attribute value 1315 * @size: attribute size 1316 * @flags: unused 1317 * 1318 * Set the pointer in the inode blob to the entry found 1319 * in the master label list. 1320 */ 1321 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1322 const void *value, size_t size, int flags) 1323 { 1324 struct smack_known *skp; 1325 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1326 1327 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1328 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1329 return; 1330 } 1331 1332 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1333 skp = smk_import_entry(value, size); 1334 if (!IS_ERR(skp)) 1335 isp->smk_inode = skp; 1336 else 1337 isp->smk_inode = &smack_known_invalid; 1338 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1339 skp = smk_import_entry(value, size); 1340 if (!IS_ERR(skp)) 1341 isp->smk_task = skp; 1342 else 1343 isp->smk_task = &smack_known_invalid; 1344 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1345 skp = smk_import_entry(value, size); 1346 if (!IS_ERR(skp)) 1347 isp->smk_mmap = skp; 1348 else 1349 isp->smk_mmap = &smack_known_invalid; 1350 } 1351 1352 return; 1353 } 1354 1355 /** 1356 * smack_inode_getxattr - Smack check on getxattr 1357 * @dentry: the object 1358 * @name: unused 1359 * 1360 * Returns 0 if access is permitted, an error code otherwise 1361 */ 1362 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1363 { 1364 struct smk_audit_info ad; 1365 int rc; 1366 1367 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1368 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1369 1370 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1371 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1372 return rc; 1373 } 1374 1375 /** 1376 * smack_inode_removexattr - Smack check on removexattr 1377 * @dentry: the object 1378 * @name: name of the attribute 1379 * 1380 * Removing the Smack attribute requires CAP_MAC_ADMIN 1381 * 1382 * Returns 0 if access is permitted, an error code otherwise 1383 */ 1384 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1385 { 1386 struct inode_smack *isp; 1387 struct smk_audit_info ad; 1388 int rc = 0; 1389 1390 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1391 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1392 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1393 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1394 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1395 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1396 if (!smack_privileged(CAP_MAC_ADMIN)) 1397 rc = -EPERM; 1398 } else 1399 rc = cap_inode_removexattr(dentry, name); 1400 1401 if (rc != 0) 1402 return rc; 1403 1404 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1405 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1406 1407 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1408 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1409 if (rc != 0) 1410 return rc; 1411 1412 isp = d_backing_inode(dentry)->i_security; 1413 /* 1414 * Don't do anything special for these. 1415 * XATTR_NAME_SMACKIPIN 1416 * XATTR_NAME_SMACKIPOUT 1417 * XATTR_NAME_SMACKEXEC 1418 */ 1419 if (strcmp(name, XATTR_NAME_SMACK) == 0) 1420 isp->smk_task = NULL; 1421 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1422 isp->smk_mmap = NULL; 1423 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1424 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1425 1426 return 0; 1427 } 1428 1429 /** 1430 * smack_inode_getsecurity - get smack xattrs 1431 * @inode: the object 1432 * @name: attribute name 1433 * @buffer: where to put the result 1434 * @alloc: unused 1435 * 1436 * Returns the size of the attribute or an error code 1437 */ 1438 static int smack_inode_getsecurity(const struct inode *inode, 1439 const char *name, void **buffer, 1440 bool alloc) 1441 { 1442 struct socket_smack *ssp; 1443 struct socket *sock; 1444 struct super_block *sbp; 1445 struct inode *ip = (struct inode *)inode; 1446 struct smack_known *isp; 1447 int ilen; 1448 int rc = 0; 1449 1450 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1451 isp = smk_of_inode(inode); 1452 ilen = strlen(isp->smk_known); 1453 *buffer = isp->smk_known; 1454 return ilen; 1455 } 1456 1457 /* 1458 * The rest of the Smack xattrs are only on sockets. 1459 */ 1460 sbp = ip->i_sb; 1461 if (sbp->s_magic != SOCKFS_MAGIC) 1462 return -EOPNOTSUPP; 1463 1464 sock = SOCKET_I(ip); 1465 if (sock == NULL || sock->sk == NULL) 1466 return -EOPNOTSUPP; 1467 1468 ssp = sock->sk->sk_security; 1469 1470 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1471 isp = ssp->smk_in; 1472 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1473 isp = ssp->smk_out; 1474 else 1475 return -EOPNOTSUPP; 1476 1477 ilen = strlen(isp->smk_known); 1478 if (rc == 0) { 1479 *buffer = isp->smk_known; 1480 rc = ilen; 1481 } 1482 1483 return rc; 1484 } 1485 1486 1487 /** 1488 * smack_inode_listsecurity - list the Smack attributes 1489 * @inode: the object 1490 * @buffer: where they go 1491 * @buffer_size: size of buffer 1492 * 1493 * Returns 0 on success, -EINVAL otherwise 1494 */ 1495 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1496 size_t buffer_size) 1497 { 1498 int len = sizeof(XATTR_NAME_SMACK); 1499 1500 if (buffer != NULL && len <= buffer_size) 1501 memcpy(buffer, XATTR_NAME_SMACK, len); 1502 1503 return len; 1504 } 1505 1506 /** 1507 * smack_inode_getsecid - Extract inode's security id 1508 * @inode: inode to extract the info from 1509 * @secid: where result will be saved 1510 */ 1511 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 1512 { 1513 struct inode_smack *isp = inode->i_security; 1514 1515 *secid = isp->smk_inode->smk_secid; 1516 } 1517 1518 /* 1519 * File Hooks 1520 */ 1521 1522 /** 1523 * smack_file_permission - Smack check on file operations 1524 * @file: unused 1525 * @mask: unused 1526 * 1527 * Returns 0 1528 * 1529 * Should access checks be done on each read or write? 1530 * UNICOS and SELinux say yes. 1531 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1532 * 1533 * I'll say no for now. Smack does not do the frequent 1534 * label changing that SELinux does. 1535 */ 1536 static int smack_file_permission(struct file *file, int mask) 1537 { 1538 return 0; 1539 } 1540 1541 /** 1542 * smack_file_alloc_security - assign a file security blob 1543 * @file: the object 1544 * 1545 * The security blob for a file is a pointer to the master 1546 * label list, so no allocation is done. 1547 * 1548 * f_security is the owner security information. It 1549 * isn't used on file access checks, it's for send_sigio. 1550 * 1551 * Returns 0 1552 */ 1553 static int smack_file_alloc_security(struct file *file) 1554 { 1555 struct smack_known *skp = smk_of_current(); 1556 1557 file->f_security = skp; 1558 return 0; 1559 } 1560 1561 /** 1562 * smack_file_free_security - clear a file security blob 1563 * @file: the object 1564 * 1565 * The security blob for a file is a pointer to the master 1566 * label list, so no memory is freed. 1567 */ 1568 static void smack_file_free_security(struct file *file) 1569 { 1570 file->f_security = NULL; 1571 } 1572 1573 /** 1574 * smack_file_ioctl - Smack check on ioctls 1575 * @file: the object 1576 * @cmd: what to do 1577 * @arg: unused 1578 * 1579 * Relies heavily on the correct use of the ioctl command conventions. 1580 * 1581 * Returns 0 if allowed, error code otherwise 1582 */ 1583 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1584 unsigned long arg) 1585 { 1586 int rc = 0; 1587 struct smk_audit_info ad; 1588 struct inode *inode = file_inode(file); 1589 1590 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1591 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1592 1593 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1594 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1595 rc = smk_bu_file(file, MAY_WRITE, rc); 1596 } 1597 1598 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1599 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1600 rc = smk_bu_file(file, MAY_READ, rc); 1601 } 1602 1603 return rc; 1604 } 1605 1606 /** 1607 * smack_file_lock - Smack check on file locking 1608 * @file: the object 1609 * @cmd: unused 1610 * 1611 * Returns 0 if current has lock access, error code otherwise 1612 */ 1613 static int smack_file_lock(struct file *file, unsigned int cmd) 1614 { 1615 struct smk_audit_info ad; 1616 int rc; 1617 struct inode *inode = file_inode(file); 1618 1619 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1620 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1621 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1622 rc = smk_bu_file(file, MAY_LOCK, rc); 1623 return rc; 1624 } 1625 1626 /** 1627 * smack_file_fcntl - Smack check on fcntl 1628 * @file: the object 1629 * @cmd: what action to check 1630 * @arg: unused 1631 * 1632 * Generally these operations are harmless. 1633 * File locking operations present an obvious mechanism 1634 * for passing information, so they require write access. 1635 * 1636 * Returns 0 if current has access, error code otherwise 1637 */ 1638 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1639 unsigned long arg) 1640 { 1641 struct smk_audit_info ad; 1642 int rc = 0; 1643 struct inode *inode = file_inode(file); 1644 1645 switch (cmd) { 1646 case F_GETLK: 1647 break; 1648 case F_SETLK: 1649 case F_SETLKW: 1650 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1651 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1652 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1653 rc = smk_bu_file(file, MAY_LOCK, rc); 1654 break; 1655 case F_SETOWN: 1656 case F_SETSIG: 1657 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1658 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1659 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1660 rc = smk_bu_file(file, MAY_WRITE, rc); 1661 break; 1662 default: 1663 break; 1664 } 1665 1666 return rc; 1667 } 1668 1669 /** 1670 * smack_mmap_file : 1671 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1672 * if mapping anonymous memory. 1673 * @file contains the file structure for file to map (may be NULL). 1674 * @reqprot contains the protection requested by the application. 1675 * @prot contains the protection that will be applied by the kernel. 1676 * @flags contains the operational flags. 1677 * Return 0 if permission is granted. 1678 */ 1679 static int smack_mmap_file(struct file *file, 1680 unsigned long reqprot, unsigned long prot, 1681 unsigned long flags) 1682 { 1683 struct smack_known *skp; 1684 struct smack_known *mkp; 1685 struct smack_rule *srp; 1686 struct task_smack *tsp; 1687 struct smack_known *okp; 1688 struct inode_smack *isp; 1689 int may; 1690 int mmay; 1691 int tmay; 1692 int rc; 1693 1694 if (file == NULL) 1695 return 0; 1696 1697 isp = file_inode(file)->i_security; 1698 if (isp->smk_mmap == NULL) 1699 return 0; 1700 mkp = isp->smk_mmap; 1701 1702 tsp = current_security(); 1703 skp = smk_of_current(); 1704 rc = 0; 1705 1706 rcu_read_lock(); 1707 /* 1708 * For each Smack rule associated with the subject 1709 * label verify that the SMACK64MMAP also has access 1710 * to that rule's object label. 1711 */ 1712 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1713 okp = srp->smk_object; 1714 /* 1715 * Matching labels always allows access. 1716 */ 1717 if (mkp->smk_known == okp->smk_known) 1718 continue; 1719 /* 1720 * If there is a matching local rule take 1721 * that into account as well. 1722 */ 1723 may = smk_access_entry(srp->smk_subject->smk_known, 1724 okp->smk_known, 1725 &tsp->smk_rules); 1726 if (may == -ENOENT) 1727 may = srp->smk_access; 1728 else 1729 may &= srp->smk_access; 1730 /* 1731 * If may is zero the SMACK64MMAP subject can't 1732 * possibly have less access. 1733 */ 1734 if (may == 0) 1735 continue; 1736 1737 /* 1738 * Fetch the global list entry. 1739 * If there isn't one a SMACK64MMAP subject 1740 * can't have as much access as current. 1741 */ 1742 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1743 &mkp->smk_rules); 1744 if (mmay == -ENOENT) { 1745 rc = -EACCES; 1746 break; 1747 } 1748 /* 1749 * If there is a local entry it modifies the 1750 * potential access, too. 1751 */ 1752 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1753 &tsp->smk_rules); 1754 if (tmay != -ENOENT) 1755 mmay &= tmay; 1756 1757 /* 1758 * If there is any access available to current that is 1759 * not available to a SMACK64MMAP subject 1760 * deny access. 1761 */ 1762 if ((may | mmay) != mmay) { 1763 rc = -EACCES; 1764 break; 1765 } 1766 } 1767 1768 rcu_read_unlock(); 1769 1770 return rc; 1771 } 1772 1773 /** 1774 * smack_file_set_fowner - set the file security blob value 1775 * @file: object in question 1776 * 1777 */ 1778 static void smack_file_set_fowner(struct file *file) 1779 { 1780 file->f_security = smk_of_current(); 1781 } 1782 1783 /** 1784 * smack_file_send_sigiotask - Smack on sigio 1785 * @tsk: The target task 1786 * @fown: the object the signal come from 1787 * @signum: unused 1788 * 1789 * Allow a privileged task to get signals even if it shouldn't 1790 * 1791 * Returns 0 if a subject with the object's smack could 1792 * write to the task, an error code otherwise. 1793 */ 1794 static int smack_file_send_sigiotask(struct task_struct *tsk, 1795 struct fown_struct *fown, int signum) 1796 { 1797 struct smack_known *skp; 1798 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1799 struct file *file; 1800 int rc; 1801 struct smk_audit_info ad; 1802 1803 /* 1804 * struct fown_struct is never outside the context of a struct file 1805 */ 1806 file = container_of(fown, struct file, f_owner); 1807 1808 /* we don't log here as rc can be overriden */ 1809 skp = file->f_security; 1810 rc = smk_access(skp, tkp, MAY_WRITE, NULL); 1811 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); 1812 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1813 rc = 0; 1814 1815 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1816 smk_ad_setfield_u_tsk(&ad, tsk); 1817 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); 1818 return rc; 1819 } 1820 1821 /** 1822 * smack_file_receive - Smack file receive check 1823 * @file: the object 1824 * 1825 * Returns 0 if current has access, error code otherwise 1826 */ 1827 static int smack_file_receive(struct file *file) 1828 { 1829 int rc; 1830 int may = 0; 1831 struct smk_audit_info ad; 1832 struct inode *inode = file_inode(file); 1833 1834 if (unlikely(IS_PRIVATE(inode))) 1835 return 0; 1836 1837 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1838 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1839 /* 1840 * This code relies on bitmasks. 1841 */ 1842 if (file->f_mode & FMODE_READ) 1843 may = MAY_READ; 1844 if (file->f_mode & FMODE_WRITE) 1845 may |= MAY_WRITE; 1846 1847 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1848 rc = smk_bu_file(file, may, rc); 1849 return rc; 1850 } 1851 1852 /** 1853 * smack_file_open - Smack dentry open processing 1854 * @file: the object 1855 * @cred: task credential 1856 * 1857 * Set the security blob in the file structure. 1858 * Allow the open only if the task has read access. There are 1859 * many read operations (e.g. fstat) that you can do with an 1860 * fd even if you have the file open write-only. 1861 * 1862 * Returns 0 1863 */ 1864 static int smack_file_open(struct file *file, const struct cred *cred) 1865 { 1866 struct task_smack *tsp = cred->security; 1867 struct inode *inode = file_inode(file); 1868 struct smk_audit_info ad; 1869 int rc; 1870 1871 if (smack_privileged(CAP_MAC_OVERRIDE)) 1872 return 0; 1873 1874 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1875 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1876 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1877 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1878 1879 return rc; 1880 } 1881 1882 /* 1883 * Task hooks 1884 */ 1885 1886 /** 1887 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1888 * @new: the new credentials 1889 * @gfp: the atomicity of any memory allocations 1890 * 1891 * Prepare a blank set of credentials for modification. This must allocate all 1892 * the memory the LSM module might require such that cred_transfer() can 1893 * complete without error. 1894 */ 1895 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1896 { 1897 struct task_smack *tsp; 1898 1899 tsp = new_task_smack(NULL, NULL, gfp); 1900 if (tsp == NULL) 1901 return -ENOMEM; 1902 1903 cred->security = tsp; 1904 1905 return 0; 1906 } 1907 1908 1909 /** 1910 * smack_cred_free - "free" task-level security credentials 1911 * @cred: the credentials in question 1912 * 1913 */ 1914 static void smack_cred_free(struct cred *cred) 1915 { 1916 struct task_smack *tsp = cred->security; 1917 struct smack_rule *rp; 1918 struct list_head *l; 1919 struct list_head *n; 1920 1921 if (tsp == NULL) 1922 return; 1923 cred->security = NULL; 1924 1925 list_for_each_safe(l, n, &tsp->smk_rules) { 1926 rp = list_entry(l, struct smack_rule, list); 1927 list_del(&rp->list); 1928 kfree(rp); 1929 } 1930 kfree(tsp); 1931 } 1932 1933 /** 1934 * smack_cred_prepare - prepare new set of credentials for modification 1935 * @new: the new credentials 1936 * @old: the original credentials 1937 * @gfp: the atomicity of any memory allocations 1938 * 1939 * Prepare a new set of credentials for modification. 1940 */ 1941 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1942 gfp_t gfp) 1943 { 1944 struct task_smack *old_tsp = old->security; 1945 struct task_smack *new_tsp; 1946 int rc; 1947 1948 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1949 if (new_tsp == NULL) 1950 return -ENOMEM; 1951 1952 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1953 if (rc != 0) 1954 return rc; 1955 1956 new->security = new_tsp; 1957 return 0; 1958 } 1959 1960 /** 1961 * smack_cred_transfer - Transfer the old credentials to the new credentials 1962 * @new: the new credentials 1963 * @old: the original credentials 1964 * 1965 * Fill in a set of blank credentials from another set of credentials. 1966 */ 1967 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1968 { 1969 struct task_smack *old_tsp = old->security; 1970 struct task_smack *new_tsp = new->security; 1971 1972 new_tsp->smk_task = old_tsp->smk_task; 1973 new_tsp->smk_forked = old_tsp->smk_task; 1974 mutex_init(&new_tsp->smk_rules_lock); 1975 INIT_LIST_HEAD(&new_tsp->smk_rules); 1976 1977 1978 /* cbs copy rule list */ 1979 } 1980 1981 /** 1982 * smack_kernel_act_as - Set the subjective context in a set of credentials 1983 * @new: points to the set of credentials to be modified. 1984 * @secid: specifies the security ID to be set 1985 * 1986 * Set the security data for a kernel service. 1987 */ 1988 static int smack_kernel_act_as(struct cred *new, u32 secid) 1989 { 1990 struct task_smack *new_tsp = new->security; 1991 struct smack_known *skp = smack_from_secid(secid); 1992 1993 if (skp == NULL) 1994 return -EINVAL; 1995 1996 new_tsp->smk_task = skp; 1997 return 0; 1998 } 1999 2000 /** 2001 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2002 * @new: points to the set of credentials to be modified 2003 * @inode: points to the inode to use as a reference 2004 * 2005 * Set the file creation context in a set of credentials to the same 2006 * as the objective context of the specified inode 2007 */ 2008 static int smack_kernel_create_files_as(struct cred *new, 2009 struct inode *inode) 2010 { 2011 struct inode_smack *isp = inode->i_security; 2012 struct task_smack *tsp = new->security; 2013 2014 tsp->smk_forked = isp->smk_inode; 2015 tsp->smk_task = tsp->smk_forked; 2016 return 0; 2017 } 2018 2019 /** 2020 * smk_curacc_on_task - helper to log task related access 2021 * @p: the task object 2022 * @access: the access requested 2023 * @caller: name of the calling function for audit 2024 * 2025 * Return 0 if access is permitted 2026 */ 2027 static int smk_curacc_on_task(struct task_struct *p, int access, 2028 const char *caller) 2029 { 2030 struct smk_audit_info ad; 2031 struct smack_known *skp = smk_of_task_struct(p); 2032 int rc; 2033 2034 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2035 smk_ad_setfield_u_tsk(&ad, p); 2036 rc = smk_curacc(skp, access, &ad); 2037 rc = smk_bu_task(p, access, rc); 2038 return rc; 2039 } 2040 2041 /** 2042 * smack_task_setpgid - Smack check on setting pgid 2043 * @p: the task object 2044 * @pgid: unused 2045 * 2046 * Return 0 if write access is permitted 2047 */ 2048 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2049 { 2050 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2051 } 2052 2053 /** 2054 * smack_task_getpgid - Smack access check for getpgid 2055 * @p: the object task 2056 * 2057 * Returns 0 if current can read the object task, error code otherwise 2058 */ 2059 static int smack_task_getpgid(struct task_struct *p) 2060 { 2061 return smk_curacc_on_task(p, MAY_READ, __func__); 2062 } 2063 2064 /** 2065 * smack_task_getsid - Smack access check for getsid 2066 * @p: the object task 2067 * 2068 * Returns 0 if current can read the object task, error code otherwise 2069 */ 2070 static int smack_task_getsid(struct task_struct *p) 2071 { 2072 return smk_curacc_on_task(p, MAY_READ, __func__); 2073 } 2074 2075 /** 2076 * smack_task_getsecid - get the secid of the task 2077 * @p: the object task 2078 * @secid: where to put the result 2079 * 2080 * Sets the secid to contain a u32 version of the smack label. 2081 */ 2082 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2083 { 2084 struct smack_known *skp = smk_of_task_struct(p); 2085 2086 *secid = skp->smk_secid; 2087 } 2088 2089 /** 2090 * smack_task_setnice - Smack check on setting nice 2091 * @p: the task object 2092 * @nice: unused 2093 * 2094 * Return 0 if write access is permitted 2095 */ 2096 static int smack_task_setnice(struct task_struct *p, int nice) 2097 { 2098 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2099 } 2100 2101 /** 2102 * smack_task_setioprio - Smack check on setting ioprio 2103 * @p: the task object 2104 * @ioprio: unused 2105 * 2106 * Return 0 if write access is permitted 2107 */ 2108 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2109 { 2110 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2111 } 2112 2113 /** 2114 * smack_task_getioprio - Smack check on reading ioprio 2115 * @p: the task object 2116 * 2117 * Return 0 if read access is permitted 2118 */ 2119 static int smack_task_getioprio(struct task_struct *p) 2120 { 2121 return smk_curacc_on_task(p, MAY_READ, __func__); 2122 } 2123 2124 /** 2125 * smack_task_setscheduler - Smack check on setting scheduler 2126 * @p: the task object 2127 * @policy: unused 2128 * @lp: unused 2129 * 2130 * Return 0 if read access is permitted 2131 */ 2132 static int smack_task_setscheduler(struct task_struct *p) 2133 { 2134 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2135 } 2136 2137 /** 2138 * smack_task_getscheduler - Smack check on reading scheduler 2139 * @p: the task object 2140 * 2141 * Return 0 if read access is permitted 2142 */ 2143 static int smack_task_getscheduler(struct task_struct *p) 2144 { 2145 return smk_curacc_on_task(p, MAY_READ, __func__); 2146 } 2147 2148 /** 2149 * smack_task_movememory - Smack check on moving memory 2150 * @p: the task object 2151 * 2152 * Return 0 if write access is permitted 2153 */ 2154 static int smack_task_movememory(struct task_struct *p) 2155 { 2156 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2157 } 2158 2159 /** 2160 * smack_task_kill - Smack check on signal delivery 2161 * @p: the task object 2162 * @info: unused 2163 * @sig: unused 2164 * @secid: identifies the smack to use in lieu of current's 2165 * 2166 * Return 0 if write access is permitted 2167 * 2168 * The secid behavior is an artifact of an SELinux hack 2169 * in the USB code. Someday it may go away. 2170 */ 2171 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2172 int sig, u32 secid) 2173 { 2174 struct smk_audit_info ad; 2175 struct smack_known *skp; 2176 struct smack_known *tkp = smk_of_task_struct(p); 2177 int rc; 2178 2179 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2180 smk_ad_setfield_u_tsk(&ad, p); 2181 /* 2182 * Sending a signal requires that the sender 2183 * can write the receiver. 2184 */ 2185 if (secid == 0) { 2186 rc = smk_curacc(tkp, MAY_WRITE, &ad); 2187 rc = smk_bu_task(p, MAY_WRITE, rc); 2188 return rc; 2189 } 2190 /* 2191 * If the secid isn't 0 we're dealing with some USB IO 2192 * specific behavior. This is not clean. For one thing 2193 * we can't take privilege into account. 2194 */ 2195 skp = smack_from_secid(secid); 2196 rc = smk_access(skp, tkp, MAY_WRITE, &ad); 2197 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); 2198 return rc; 2199 } 2200 2201 /** 2202 * smack_task_wait - Smack access check for waiting 2203 * @p: task to wait for 2204 * 2205 * Returns 0 2206 */ 2207 static int smack_task_wait(struct task_struct *p) 2208 { 2209 /* 2210 * Allow the operation to succeed. 2211 * Zombies are bad. 2212 * In userless environments (e.g. phones) programs 2213 * get marked with SMACK64EXEC and even if the parent 2214 * and child shouldn't be talking the parent still 2215 * may expect to know when the child exits. 2216 */ 2217 return 0; 2218 } 2219 2220 /** 2221 * smack_task_to_inode - copy task smack into the inode blob 2222 * @p: task to copy from 2223 * @inode: inode to copy to 2224 * 2225 * Sets the smack pointer in the inode security blob 2226 */ 2227 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2228 { 2229 struct inode_smack *isp = inode->i_security; 2230 struct smack_known *skp = smk_of_task_struct(p); 2231 2232 isp->smk_inode = skp; 2233 } 2234 2235 /* 2236 * Socket hooks. 2237 */ 2238 2239 /** 2240 * smack_sk_alloc_security - Allocate a socket blob 2241 * @sk: the socket 2242 * @family: unused 2243 * @gfp_flags: memory allocation flags 2244 * 2245 * Assign Smack pointers to current 2246 * 2247 * Returns 0 on success, -ENOMEM is there's no memory 2248 */ 2249 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2250 { 2251 struct smack_known *skp = smk_of_current(); 2252 struct socket_smack *ssp; 2253 2254 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2255 if (ssp == NULL) 2256 return -ENOMEM; 2257 2258 ssp->smk_in = skp; 2259 ssp->smk_out = skp; 2260 ssp->smk_packet = NULL; 2261 2262 sk->sk_security = ssp; 2263 2264 return 0; 2265 } 2266 2267 /** 2268 * smack_sk_free_security - Free a socket blob 2269 * @sk: the socket 2270 * 2271 * Clears the blob pointer 2272 */ 2273 static void smack_sk_free_security(struct sock *sk) 2274 { 2275 kfree(sk->sk_security); 2276 } 2277 2278 /** 2279 * smack_ipv4host_label - check host based restrictions 2280 * @sip: the object end 2281 * 2282 * looks for host based access restrictions 2283 * 2284 * This version will only be appropriate for really small sets of single label 2285 * hosts. The caller is responsible for ensuring that the RCU read lock is 2286 * taken before calling this function. 2287 * 2288 * Returns the label of the far end or NULL if it's not special. 2289 */ 2290 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2291 { 2292 struct smk_net4addr *snp; 2293 struct in_addr *siap = &sip->sin_addr; 2294 2295 if (siap->s_addr == 0) 2296 return NULL; 2297 2298 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2299 /* 2300 * we break after finding the first match because 2301 * the list is sorted from longest to shortest mask 2302 * so we have found the most specific match 2303 */ 2304 if (snp->smk_host.s_addr == 2305 (siap->s_addr & snp->smk_mask.s_addr)) 2306 return snp->smk_label; 2307 2308 return NULL; 2309 } 2310 2311 #if IS_ENABLED(CONFIG_IPV6) 2312 /* 2313 * smk_ipv6_localhost - Check for local ipv6 host address 2314 * @sip: the address 2315 * 2316 * Returns boolean true if this is the localhost address 2317 */ 2318 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2319 { 2320 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2321 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2322 2323 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2324 ntohs(be16p[7]) == 1) 2325 return true; 2326 return false; 2327 } 2328 2329 /** 2330 * smack_ipv6host_label - check host based restrictions 2331 * @sip: the object end 2332 * 2333 * looks for host based access restrictions 2334 * 2335 * This version will only be appropriate for really small sets of single label 2336 * hosts. The caller is responsible for ensuring that the RCU read lock is 2337 * taken before calling this function. 2338 * 2339 * Returns the label of the far end or NULL if it's not special. 2340 */ 2341 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2342 { 2343 struct smk_net6addr *snp; 2344 struct in6_addr *sap = &sip->sin6_addr; 2345 int i; 2346 int found = 0; 2347 2348 /* 2349 * It's local. Don't look for a host label. 2350 */ 2351 if (smk_ipv6_localhost(sip)) 2352 return NULL; 2353 2354 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2355 /* 2356 * we break after finding the first match because 2357 * the list is sorted from longest to shortest mask 2358 * so we have found the most specific match 2359 */ 2360 for (found = 1, i = 0; i < 8; i++) { 2361 /* 2362 * If the label is NULL the entry has 2363 * been renounced. Ignore it. 2364 */ 2365 if (snp->smk_label == NULL) 2366 continue; 2367 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2368 snp->smk_host.s6_addr16[i]) { 2369 found = 0; 2370 break; 2371 } 2372 } 2373 if (found) 2374 return snp->smk_label; 2375 } 2376 2377 return NULL; 2378 } 2379 #endif /* CONFIG_IPV6 */ 2380 2381 /** 2382 * smack_netlabel - Set the secattr on a socket 2383 * @sk: the socket 2384 * @labeled: socket label scheme 2385 * 2386 * Convert the outbound smack value (smk_out) to a 2387 * secattr and attach it to the socket. 2388 * 2389 * Returns 0 on success or an error code 2390 */ 2391 static int smack_netlabel(struct sock *sk, int labeled) 2392 { 2393 struct smack_known *skp; 2394 struct socket_smack *ssp = sk->sk_security; 2395 int rc = 0; 2396 2397 /* 2398 * Usually the netlabel code will handle changing the 2399 * packet labeling based on the label. 2400 * The case of a single label host is different, because 2401 * a single label host should never get a labeled packet 2402 * even though the label is usually associated with a packet 2403 * label. 2404 */ 2405 local_bh_disable(); 2406 bh_lock_sock_nested(sk); 2407 2408 if (ssp->smk_out == smack_net_ambient || 2409 labeled == SMACK_UNLABELED_SOCKET) 2410 netlbl_sock_delattr(sk); 2411 else { 2412 skp = ssp->smk_out; 2413 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2414 } 2415 2416 bh_unlock_sock(sk); 2417 local_bh_enable(); 2418 2419 return rc; 2420 } 2421 2422 /** 2423 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2424 * @sk: the socket 2425 * @sap: the destination address 2426 * 2427 * Set the correct secattr for the given socket based on the destination 2428 * address and perform any outbound access checks needed. 2429 * 2430 * Returns 0 on success or an error code. 2431 * 2432 */ 2433 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2434 { 2435 struct smack_known *skp; 2436 int rc; 2437 int sk_lbl; 2438 struct smack_known *hkp; 2439 struct socket_smack *ssp = sk->sk_security; 2440 struct smk_audit_info ad; 2441 2442 rcu_read_lock(); 2443 hkp = smack_ipv4host_label(sap); 2444 if (hkp != NULL) { 2445 #ifdef CONFIG_AUDIT 2446 struct lsm_network_audit net; 2447 2448 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2449 ad.a.u.net->family = sap->sin_family; 2450 ad.a.u.net->dport = sap->sin_port; 2451 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2452 #endif 2453 sk_lbl = SMACK_UNLABELED_SOCKET; 2454 skp = ssp->smk_out; 2455 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2456 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2457 } else { 2458 sk_lbl = SMACK_CIPSO_SOCKET; 2459 rc = 0; 2460 } 2461 rcu_read_unlock(); 2462 if (rc != 0) 2463 return rc; 2464 2465 return smack_netlabel(sk, sk_lbl); 2466 } 2467 2468 #if IS_ENABLED(CONFIG_IPV6) 2469 /** 2470 * smk_ipv6_check - check Smack access 2471 * @subject: subject Smack label 2472 * @object: object Smack label 2473 * @address: address 2474 * @act: the action being taken 2475 * 2476 * Check an IPv6 access 2477 */ 2478 static int smk_ipv6_check(struct smack_known *subject, 2479 struct smack_known *object, 2480 struct sockaddr_in6 *address, int act) 2481 { 2482 #ifdef CONFIG_AUDIT 2483 struct lsm_network_audit net; 2484 #endif 2485 struct smk_audit_info ad; 2486 int rc; 2487 2488 #ifdef CONFIG_AUDIT 2489 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2490 ad.a.u.net->family = PF_INET6; 2491 ad.a.u.net->dport = ntohs(address->sin6_port); 2492 if (act == SMK_RECEIVING) 2493 ad.a.u.net->v6info.saddr = address->sin6_addr; 2494 else 2495 ad.a.u.net->v6info.daddr = address->sin6_addr; 2496 #endif 2497 rc = smk_access(subject, object, MAY_WRITE, &ad); 2498 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2499 return rc; 2500 } 2501 #endif /* CONFIG_IPV6 */ 2502 2503 #ifdef SMACK_IPV6_PORT_LABELING 2504 /** 2505 * smk_ipv6_port_label - Smack port access table management 2506 * @sock: socket 2507 * @address: address 2508 * 2509 * Create or update the port list entry 2510 */ 2511 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2512 { 2513 struct sock *sk = sock->sk; 2514 struct sockaddr_in6 *addr6; 2515 struct socket_smack *ssp = sock->sk->sk_security; 2516 struct smk_port_label *spp; 2517 unsigned short port = 0; 2518 2519 if (address == NULL) { 2520 /* 2521 * This operation is changing the Smack information 2522 * on the bound socket. Take the changes to the port 2523 * as well. 2524 */ 2525 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2526 if (sk != spp->smk_sock) 2527 continue; 2528 spp->smk_in = ssp->smk_in; 2529 spp->smk_out = ssp->smk_out; 2530 return; 2531 } 2532 /* 2533 * A NULL address is only used for updating existing 2534 * bound entries. If there isn't one, it's OK. 2535 */ 2536 return; 2537 } 2538 2539 addr6 = (struct sockaddr_in6 *)address; 2540 port = ntohs(addr6->sin6_port); 2541 /* 2542 * This is a special case that is safely ignored. 2543 */ 2544 if (port == 0) 2545 return; 2546 2547 /* 2548 * Look for an existing port list entry. 2549 * This is an indication that a port is getting reused. 2550 */ 2551 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2552 if (spp->smk_port != port) 2553 continue; 2554 spp->smk_port = port; 2555 spp->smk_sock = sk; 2556 spp->smk_in = ssp->smk_in; 2557 spp->smk_out = ssp->smk_out; 2558 return; 2559 } 2560 2561 /* 2562 * A new port entry is required. 2563 */ 2564 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2565 if (spp == NULL) 2566 return; 2567 2568 spp->smk_port = port; 2569 spp->smk_sock = sk; 2570 spp->smk_in = ssp->smk_in; 2571 spp->smk_out = ssp->smk_out; 2572 2573 list_add(&spp->list, &smk_ipv6_port_list); 2574 return; 2575 } 2576 2577 /** 2578 * smk_ipv6_port_check - check Smack port access 2579 * @sock: socket 2580 * @address: address 2581 * 2582 * Create or update the port list entry 2583 */ 2584 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2585 int act) 2586 { 2587 struct smk_port_label *spp; 2588 struct socket_smack *ssp = sk->sk_security; 2589 struct smack_known *skp = NULL; 2590 unsigned short port; 2591 struct smack_known *object; 2592 2593 if (act == SMK_RECEIVING) { 2594 skp = smack_ipv6host_label(address); 2595 object = ssp->smk_in; 2596 } else { 2597 skp = ssp->smk_out; 2598 object = smack_ipv6host_label(address); 2599 } 2600 2601 /* 2602 * The other end is a single label host. 2603 */ 2604 if (skp != NULL && object != NULL) 2605 return smk_ipv6_check(skp, object, address, act); 2606 if (skp == NULL) 2607 skp = smack_net_ambient; 2608 if (object == NULL) 2609 object = smack_net_ambient; 2610 2611 /* 2612 * It's remote, so port lookup does no good. 2613 */ 2614 if (!smk_ipv6_localhost(address)) 2615 return smk_ipv6_check(skp, object, address, act); 2616 2617 /* 2618 * It's local so the send check has to have passed. 2619 */ 2620 if (act == SMK_RECEIVING) 2621 return 0; 2622 2623 port = ntohs(address->sin6_port); 2624 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2625 if (spp->smk_port != port) 2626 continue; 2627 object = spp->smk_in; 2628 if (act == SMK_CONNECTING) 2629 ssp->smk_packet = spp->smk_out; 2630 break; 2631 } 2632 2633 return smk_ipv6_check(skp, object, address, act); 2634 } 2635 #endif /* SMACK_IPV6_PORT_LABELING */ 2636 2637 /** 2638 * smack_inode_setsecurity - set smack xattrs 2639 * @inode: the object 2640 * @name: attribute name 2641 * @value: attribute value 2642 * @size: size of the attribute 2643 * @flags: unused 2644 * 2645 * Sets the named attribute in the appropriate blob 2646 * 2647 * Returns 0 on success, or an error code 2648 */ 2649 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2650 const void *value, size_t size, int flags) 2651 { 2652 struct smack_known *skp; 2653 struct inode_smack *nsp = inode->i_security; 2654 struct socket_smack *ssp; 2655 struct socket *sock; 2656 int rc = 0; 2657 2658 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2659 return -EINVAL; 2660 2661 skp = smk_import_entry(value, size); 2662 if (IS_ERR(skp)) 2663 return PTR_ERR(skp); 2664 2665 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2666 nsp->smk_inode = skp; 2667 nsp->smk_flags |= SMK_INODE_INSTANT; 2668 return 0; 2669 } 2670 /* 2671 * The rest of the Smack xattrs are only on sockets. 2672 */ 2673 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2674 return -EOPNOTSUPP; 2675 2676 sock = SOCKET_I(inode); 2677 if (sock == NULL || sock->sk == NULL) 2678 return -EOPNOTSUPP; 2679 2680 ssp = sock->sk->sk_security; 2681 2682 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2683 ssp->smk_in = skp; 2684 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2685 ssp->smk_out = skp; 2686 if (sock->sk->sk_family == PF_INET) { 2687 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2688 if (rc != 0) 2689 printk(KERN_WARNING 2690 "Smack: \"%s\" netlbl error %d.\n", 2691 __func__, -rc); 2692 } 2693 } else 2694 return -EOPNOTSUPP; 2695 2696 #ifdef SMACK_IPV6_PORT_LABELING 2697 if (sock->sk->sk_family == PF_INET6) 2698 smk_ipv6_port_label(sock, NULL); 2699 #endif 2700 2701 return 0; 2702 } 2703 2704 /** 2705 * smack_socket_post_create - finish socket setup 2706 * @sock: the socket 2707 * @family: protocol family 2708 * @type: unused 2709 * @protocol: unused 2710 * @kern: unused 2711 * 2712 * Sets the netlabel information on the socket 2713 * 2714 * Returns 0 on success, and error code otherwise 2715 */ 2716 static int smack_socket_post_create(struct socket *sock, int family, 2717 int type, int protocol, int kern) 2718 { 2719 struct socket_smack *ssp; 2720 2721 if (sock->sk == NULL) 2722 return 0; 2723 2724 /* 2725 * Sockets created by kernel threads receive web label. 2726 */ 2727 if (unlikely(current->flags & PF_KTHREAD)) { 2728 ssp = sock->sk->sk_security; 2729 ssp->smk_in = &smack_known_web; 2730 ssp->smk_out = &smack_known_web; 2731 } 2732 2733 if (family != PF_INET) 2734 return 0; 2735 /* 2736 * Set the outbound netlbl. 2737 */ 2738 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2739 } 2740 2741 #ifdef SMACK_IPV6_PORT_LABELING 2742 /** 2743 * smack_socket_bind - record port binding information. 2744 * @sock: the socket 2745 * @address: the port address 2746 * @addrlen: size of the address 2747 * 2748 * Records the label bound to a port. 2749 * 2750 * Returns 0 2751 */ 2752 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2753 int addrlen) 2754 { 2755 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2756 smk_ipv6_port_label(sock, address); 2757 return 0; 2758 } 2759 #endif /* SMACK_IPV6_PORT_LABELING */ 2760 2761 /** 2762 * smack_socket_connect - connect access check 2763 * @sock: the socket 2764 * @sap: the other end 2765 * @addrlen: size of sap 2766 * 2767 * Verifies that a connection may be possible 2768 * 2769 * Returns 0 on success, and error code otherwise 2770 */ 2771 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2772 int addrlen) 2773 { 2774 int rc = 0; 2775 #if IS_ENABLED(CONFIG_IPV6) 2776 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2777 #endif 2778 #ifdef SMACK_IPV6_SECMARK_LABELING 2779 struct smack_known *rsp; 2780 struct socket_smack *ssp = sock->sk->sk_security; 2781 #endif 2782 2783 if (sock->sk == NULL) 2784 return 0; 2785 2786 switch (sock->sk->sk_family) { 2787 case PF_INET: 2788 if (addrlen < sizeof(struct sockaddr_in)) 2789 return -EINVAL; 2790 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2791 break; 2792 case PF_INET6: 2793 if (addrlen < sizeof(struct sockaddr_in6)) 2794 return -EINVAL; 2795 #ifdef SMACK_IPV6_SECMARK_LABELING 2796 rsp = smack_ipv6host_label(sip); 2797 if (rsp != NULL) 2798 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2799 SMK_CONNECTING); 2800 #endif 2801 #ifdef SMACK_IPV6_PORT_LABELING 2802 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2803 #endif 2804 break; 2805 } 2806 return rc; 2807 } 2808 2809 /** 2810 * smack_flags_to_may - convert S_ to MAY_ values 2811 * @flags: the S_ value 2812 * 2813 * Returns the equivalent MAY_ value 2814 */ 2815 static int smack_flags_to_may(int flags) 2816 { 2817 int may = 0; 2818 2819 if (flags & S_IRUGO) 2820 may |= MAY_READ; 2821 if (flags & S_IWUGO) 2822 may |= MAY_WRITE; 2823 if (flags & S_IXUGO) 2824 may |= MAY_EXEC; 2825 2826 return may; 2827 } 2828 2829 /** 2830 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2831 * @msg: the object 2832 * 2833 * Returns 0 2834 */ 2835 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2836 { 2837 struct smack_known *skp = smk_of_current(); 2838 2839 msg->security = skp; 2840 return 0; 2841 } 2842 2843 /** 2844 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2845 * @msg: the object 2846 * 2847 * Clears the blob pointer 2848 */ 2849 static void smack_msg_msg_free_security(struct msg_msg *msg) 2850 { 2851 msg->security = NULL; 2852 } 2853 2854 /** 2855 * smack_of_shm - the smack pointer for the shm 2856 * @shp: the object 2857 * 2858 * Returns a pointer to the smack value 2859 */ 2860 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2861 { 2862 return (struct smack_known *)shp->shm_perm.security; 2863 } 2864 2865 /** 2866 * smack_shm_alloc_security - Set the security blob for shm 2867 * @shp: the object 2868 * 2869 * Returns 0 2870 */ 2871 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2872 { 2873 struct kern_ipc_perm *isp = &shp->shm_perm; 2874 struct smack_known *skp = smk_of_current(); 2875 2876 isp->security = skp; 2877 return 0; 2878 } 2879 2880 /** 2881 * smack_shm_free_security - Clear the security blob for shm 2882 * @shp: the object 2883 * 2884 * Clears the blob pointer 2885 */ 2886 static void smack_shm_free_security(struct shmid_kernel *shp) 2887 { 2888 struct kern_ipc_perm *isp = &shp->shm_perm; 2889 2890 isp->security = NULL; 2891 } 2892 2893 /** 2894 * smk_curacc_shm : check if current has access on shm 2895 * @shp : the object 2896 * @access : access requested 2897 * 2898 * Returns 0 if current has the requested access, error code otherwise 2899 */ 2900 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2901 { 2902 struct smack_known *ssp = smack_of_shm(shp); 2903 struct smk_audit_info ad; 2904 int rc; 2905 2906 #ifdef CONFIG_AUDIT 2907 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2908 ad.a.u.ipc_id = shp->shm_perm.id; 2909 #endif 2910 rc = smk_curacc(ssp, access, &ad); 2911 rc = smk_bu_current("shm", ssp, access, rc); 2912 return rc; 2913 } 2914 2915 /** 2916 * smack_shm_associate - Smack access check for shm 2917 * @shp: the object 2918 * @shmflg: access requested 2919 * 2920 * Returns 0 if current has the requested access, error code otherwise 2921 */ 2922 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2923 { 2924 int may; 2925 2926 may = smack_flags_to_may(shmflg); 2927 return smk_curacc_shm(shp, may); 2928 } 2929 2930 /** 2931 * smack_shm_shmctl - Smack access check for shm 2932 * @shp: the object 2933 * @cmd: what it wants to do 2934 * 2935 * Returns 0 if current has the requested access, error code otherwise 2936 */ 2937 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2938 { 2939 int may; 2940 2941 switch (cmd) { 2942 case IPC_STAT: 2943 case SHM_STAT: 2944 may = MAY_READ; 2945 break; 2946 case IPC_SET: 2947 case SHM_LOCK: 2948 case SHM_UNLOCK: 2949 case IPC_RMID: 2950 may = MAY_READWRITE; 2951 break; 2952 case IPC_INFO: 2953 case SHM_INFO: 2954 /* 2955 * System level information. 2956 */ 2957 return 0; 2958 default: 2959 return -EINVAL; 2960 } 2961 return smk_curacc_shm(shp, may); 2962 } 2963 2964 /** 2965 * smack_shm_shmat - Smack access for shmat 2966 * @shp: the object 2967 * @shmaddr: unused 2968 * @shmflg: access requested 2969 * 2970 * Returns 0 if current has the requested access, error code otherwise 2971 */ 2972 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 2973 int shmflg) 2974 { 2975 int may; 2976 2977 may = smack_flags_to_may(shmflg); 2978 return smk_curacc_shm(shp, may); 2979 } 2980 2981 /** 2982 * smack_of_sem - the smack pointer for the sem 2983 * @sma: the object 2984 * 2985 * Returns a pointer to the smack value 2986 */ 2987 static struct smack_known *smack_of_sem(struct sem_array *sma) 2988 { 2989 return (struct smack_known *)sma->sem_perm.security; 2990 } 2991 2992 /** 2993 * smack_sem_alloc_security - Set the security blob for sem 2994 * @sma: the object 2995 * 2996 * Returns 0 2997 */ 2998 static int smack_sem_alloc_security(struct sem_array *sma) 2999 { 3000 struct kern_ipc_perm *isp = &sma->sem_perm; 3001 struct smack_known *skp = smk_of_current(); 3002 3003 isp->security = skp; 3004 return 0; 3005 } 3006 3007 /** 3008 * smack_sem_free_security - Clear the security blob for sem 3009 * @sma: the object 3010 * 3011 * Clears the blob pointer 3012 */ 3013 static void smack_sem_free_security(struct sem_array *sma) 3014 { 3015 struct kern_ipc_perm *isp = &sma->sem_perm; 3016 3017 isp->security = NULL; 3018 } 3019 3020 /** 3021 * smk_curacc_sem : check if current has access on sem 3022 * @sma : the object 3023 * @access : access requested 3024 * 3025 * Returns 0 if current has the requested access, error code otherwise 3026 */ 3027 static int smk_curacc_sem(struct sem_array *sma, int access) 3028 { 3029 struct smack_known *ssp = smack_of_sem(sma); 3030 struct smk_audit_info ad; 3031 int rc; 3032 3033 #ifdef CONFIG_AUDIT 3034 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3035 ad.a.u.ipc_id = sma->sem_perm.id; 3036 #endif 3037 rc = smk_curacc(ssp, access, &ad); 3038 rc = smk_bu_current("sem", ssp, access, rc); 3039 return rc; 3040 } 3041 3042 /** 3043 * smack_sem_associate - Smack access check for sem 3044 * @sma: the object 3045 * @semflg: access requested 3046 * 3047 * Returns 0 if current has the requested access, error code otherwise 3048 */ 3049 static int smack_sem_associate(struct sem_array *sma, int semflg) 3050 { 3051 int may; 3052 3053 may = smack_flags_to_may(semflg); 3054 return smk_curacc_sem(sma, may); 3055 } 3056 3057 /** 3058 * smack_sem_shmctl - Smack access check for sem 3059 * @sma: the object 3060 * @cmd: what it wants to do 3061 * 3062 * Returns 0 if current has the requested access, error code otherwise 3063 */ 3064 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3065 { 3066 int may; 3067 3068 switch (cmd) { 3069 case GETPID: 3070 case GETNCNT: 3071 case GETZCNT: 3072 case GETVAL: 3073 case GETALL: 3074 case IPC_STAT: 3075 case SEM_STAT: 3076 may = MAY_READ; 3077 break; 3078 case SETVAL: 3079 case SETALL: 3080 case IPC_RMID: 3081 case IPC_SET: 3082 may = MAY_READWRITE; 3083 break; 3084 case IPC_INFO: 3085 case SEM_INFO: 3086 /* 3087 * System level information 3088 */ 3089 return 0; 3090 default: 3091 return -EINVAL; 3092 } 3093 3094 return smk_curacc_sem(sma, may); 3095 } 3096 3097 /** 3098 * smack_sem_semop - Smack checks of semaphore operations 3099 * @sma: the object 3100 * @sops: unused 3101 * @nsops: unused 3102 * @alter: unused 3103 * 3104 * Treated as read and write in all cases. 3105 * 3106 * Returns 0 if access is allowed, error code otherwise 3107 */ 3108 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3109 unsigned nsops, int alter) 3110 { 3111 return smk_curacc_sem(sma, MAY_READWRITE); 3112 } 3113 3114 /** 3115 * smack_msg_alloc_security - Set the security blob for msg 3116 * @msq: the object 3117 * 3118 * Returns 0 3119 */ 3120 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3121 { 3122 struct kern_ipc_perm *kisp = &msq->q_perm; 3123 struct smack_known *skp = smk_of_current(); 3124 3125 kisp->security = skp; 3126 return 0; 3127 } 3128 3129 /** 3130 * smack_msg_free_security - Clear the security blob for msg 3131 * @msq: the object 3132 * 3133 * Clears the blob pointer 3134 */ 3135 static void smack_msg_queue_free_security(struct msg_queue *msq) 3136 { 3137 struct kern_ipc_perm *kisp = &msq->q_perm; 3138 3139 kisp->security = NULL; 3140 } 3141 3142 /** 3143 * smack_of_msq - the smack pointer for the msq 3144 * @msq: the object 3145 * 3146 * Returns a pointer to the smack label entry 3147 */ 3148 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3149 { 3150 return (struct smack_known *)msq->q_perm.security; 3151 } 3152 3153 /** 3154 * smk_curacc_msq : helper to check if current has access on msq 3155 * @msq : the msq 3156 * @access : access requested 3157 * 3158 * return 0 if current has access, error otherwise 3159 */ 3160 static int smk_curacc_msq(struct msg_queue *msq, int access) 3161 { 3162 struct smack_known *msp = smack_of_msq(msq); 3163 struct smk_audit_info ad; 3164 int rc; 3165 3166 #ifdef CONFIG_AUDIT 3167 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3168 ad.a.u.ipc_id = msq->q_perm.id; 3169 #endif 3170 rc = smk_curacc(msp, access, &ad); 3171 rc = smk_bu_current("msq", msp, access, rc); 3172 return rc; 3173 } 3174 3175 /** 3176 * smack_msg_queue_associate - Smack access check for msg_queue 3177 * @msq: the object 3178 * @msqflg: access requested 3179 * 3180 * Returns 0 if current has the requested access, error code otherwise 3181 */ 3182 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3183 { 3184 int may; 3185 3186 may = smack_flags_to_may(msqflg); 3187 return smk_curacc_msq(msq, may); 3188 } 3189 3190 /** 3191 * smack_msg_queue_msgctl - Smack access check for msg_queue 3192 * @msq: the object 3193 * @cmd: what it wants to do 3194 * 3195 * Returns 0 if current has the requested access, error code otherwise 3196 */ 3197 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3198 { 3199 int may; 3200 3201 switch (cmd) { 3202 case IPC_STAT: 3203 case MSG_STAT: 3204 may = MAY_READ; 3205 break; 3206 case IPC_SET: 3207 case IPC_RMID: 3208 may = MAY_READWRITE; 3209 break; 3210 case IPC_INFO: 3211 case MSG_INFO: 3212 /* 3213 * System level information 3214 */ 3215 return 0; 3216 default: 3217 return -EINVAL; 3218 } 3219 3220 return smk_curacc_msq(msq, may); 3221 } 3222 3223 /** 3224 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3225 * @msq: the object 3226 * @msg: unused 3227 * @msqflg: access requested 3228 * 3229 * Returns 0 if current has the requested access, error code otherwise 3230 */ 3231 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3232 int msqflg) 3233 { 3234 int may; 3235 3236 may = smack_flags_to_may(msqflg); 3237 return smk_curacc_msq(msq, may); 3238 } 3239 3240 /** 3241 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3242 * @msq: the object 3243 * @msg: unused 3244 * @target: unused 3245 * @type: unused 3246 * @mode: unused 3247 * 3248 * Returns 0 if current has read and write access, error code otherwise 3249 */ 3250 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3251 struct task_struct *target, long type, int mode) 3252 { 3253 return smk_curacc_msq(msq, MAY_READWRITE); 3254 } 3255 3256 /** 3257 * smack_ipc_permission - Smack access for ipc_permission() 3258 * @ipp: the object permissions 3259 * @flag: access requested 3260 * 3261 * Returns 0 if current has read and write access, error code otherwise 3262 */ 3263 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3264 { 3265 struct smack_known *iskp = ipp->security; 3266 int may = smack_flags_to_may(flag); 3267 struct smk_audit_info ad; 3268 int rc; 3269 3270 #ifdef CONFIG_AUDIT 3271 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3272 ad.a.u.ipc_id = ipp->id; 3273 #endif 3274 rc = smk_curacc(iskp, may, &ad); 3275 rc = smk_bu_current("svipc", iskp, may, rc); 3276 return rc; 3277 } 3278 3279 /** 3280 * smack_ipc_getsecid - Extract smack security id 3281 * @ipp: the object permissions 3282 * @secid: where result will be saved 3283 */ 3284 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3285 { 3286 struct smack_known *iskp = ipp->security; 3287 3288 *secid = iskp->smk_secid; 3289 } 3290 3291 /** 3292 * smack_d_instantiate - Make sure the blob is correct on an inode 3293 * @opt_dentry: dentry where inode will be attached 3294 * @inode: the object 3295 * 3296 * Set the inode's security blob if it hasn't been done already. 3297 */ 3298 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3299 { 3300 struct super_block *sbp; 3301 struct superblock_smack *sbsp; 3302 struct inode_smack *isp; 3303 struct smack_known *skp; 3304 struct smack_known *ckp = smk_of_current(); 3305 struct smack_known *final; 3306 char trattr[TRANS_TRUE_SIZE]; 3307 int transflag = 0; 3308 int rc; 3309 struct dentry *dp; 3310 3311 if (inode == NULL) 3312 return; 3313 3314 isp = inode->i_security; 3315 3316 mutex_lock(&isp->smk_lock); 3317 /* 3318 * If the inode is already instantiated 3319 * take the quick way out 3320 */ 3321 if (isp->smk_flags & SMK_INODE_INSTANT) 3322 goto unlockandout; 3323 3324 sbp = inode->i_sb; 3325 sbsp = sbp->s_security; 3326 /* 3327 * We're going to use the superblock default label 3328 * if there's no label on the file. 3329 */ 3330 final = sbsp->smk_default; 3331 3332 /* 3333 * If this is the root inode the superblock 3334 * may be in the process of initialization. 3335 * If that is the case use the root value out 3336 * of the superblock. 3337 */ 3338 if (opt_dentry->d_parent == opt_dentry) { 3339 switch (sbp->s_magic) { 3340 case CGROUP_SUPER_MAGIC: 3341 /* 3342 * The cgroup filesystem is never mounted, 3343 * so there's no opportunity to set the mount 3344 * options. 3345 */ 3346 sbsp->smk_root = &smack_known_star; 3347 sbsp->smk_default = &smack_known_star; 3348 isp->smk_inode = sbsp->smk_root; 3349 break; 3350 case TMPFS_MAGIC: 3351 /* 3352 * What about shmem/tmpfs anonymous files with dentry 3353 * obtained from d_alloc_pseudo()? 3354 */ 3355 isp->smk_inode = smk_of_current(); 3356 break; 3357 default: 3358 isp->smk_inode = sbsp->smk_root; 3359 break; 3360 } 3361 isp->smk_flags |= SMK_INODE_INSTANT; 3362 goto unlockandout; 3363 } 3364 3365 /* 3366 * This is pretty hackish. 3367 * Casey says that we shouldn't have to do 3368 * file system specific code, but it does help 3369 * with keeping it simple. 3370 */ 3371 switch (sbp->s_magic) { 3372 case SMACK_MAGIC: 3373 case PIPEFS_MAGIC: 3374 case SOCKFS_MAGIC: 3375 case CGROUP_SUPER_MAGIC: 3376 /* 3377 * Casey says that it's a little embarrassing 3378 * that the smack file system doesn't do 3379 * extended attributes. 3380 * 3381 * Casey says pipes are easy (?) 3382 * 3383 * Socket access is controlled by the socket 3384 * structures associated with the task involved. 3385 * 3386 * Cgroupfs is special 3387 */ 3388 final = &smack_known_star; 3389 break; 3390 case DEVPTS_SUPER_MAGIC: 3391 /* 3392 * devpts seems content with the label of the task. 3393 * Programs that change smack have to treat the 3394 * pty with respect. 3395 */ 3396 final = ckp; 3397 break; 3398 case PROC_SUPER_MAGIC: 3399 /* 3400 * Casey says procfs appears not to care. 3401 * The superblock default suffices. 3402 */ 3403 break; 3404 case TMPFS_MAGIC: 3405 /* 3406 * Device labels should come from the filesystem, 3407 * but watch out, because they're volitile, 3408 * getting recreated on every reboot. 3409 */ 3410 final = &smack_known_star; 3411 /* 3412 * No break. 3413 * 3414 * If a smack value has been set we want to use it, 3415 * but since tmpfs isn't giving us the opportunity 3416 * to set mount options simulate setting the 3417 * superblock default. 3418 */ 3419 default: 3420 /* 3421 * This isn't an understood special case. 3422 * Get the value from the xattr. 3423 */ 3424 3425 /* 3426 * UNIX domain sockets use lower level socket data. 3427 */ 3428 if (S_ISSOCK(inode->i_mode)) { 3429 final = &smack_known_star; 3430 break; 3431 } 3432 /* 3433 * No xattr support means, alas, no SMACK label. 3434 * Use the aforeapplied default. 3435 * It would be curious if the label of the task 3436 * does not match that assigned. 3437 */ 3438 if (inode->i_op->getxattr == NULL) 3439 break; 3440 /* 3441 * Get the dentry for xattr. 3442 */ 3443 dp = dget(opt_dentry); 3444 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3445 if (!IS_ERR_OR_NULL(skp)) 3446 final = skp; 3447 3448 /* 3449 * Transmuting directory 3450 */ 3451 if (S_ISDIR(inode->i_mode)) { 3452 /* 3453 * If this is a new directory and the label was 3454 * transmuted when the inode was initialized 3455 * set the transmute attribute on the directory 3456 * and mark the inode. 3457 * 3458 * If there is a transmute attribute on the 3459 * directory mark the inode. 3460 */ 3461 if (isp->smk_flags & SMK_INODE_CHANGED) { 3462 isp->smk_flags &= ~SMK_INODE_CHANGED; 3463 rc = inode->i_op->setxattr(dp, 3464 XATTR_NAME_SMACKTRANSMUTE, 3465 TRANS_TRUE, TRANS_TRUE_SIZE, 3466 0); 3467 } else { 3468 rc = inode->i_op->getxattr(dp, 3469 XATTR_NAME_SMACKTRANSMUTE, trattr, 3470 TRANS_TRUE_SIZE); 3471 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3472 TRANS_TRUE_SIZE) != 0) 3473 rc = -EINVAL; 3474 } 3475 if (rc >= 0) 3476 transflag = SMK_INODE_TRANSMUTE; 3477 } 3478 /* 3479 * Don't let the exec or mmap label be "*" or "@". 3480 */ 3481 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3482 if (IS_ERR(skp) || skp == &smack_known_star || 3483 skp == &smack_known_web) 3484 skp = NULL; 3485 isp->smk_task = skp; 3486 3487 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3488 if (IS_ERR(skp) || skp == &smack_known_star || 3489 skp == &smack_known_web) 3490 skp = NULL; 3491 isp->smk_mmap = skp; 3492 3493 dput(dp); 3494 break; 3495 } 3496 3497 if (final == NULL) 3498 isp->smk_inode = ckp; 3499 else 3500 isp->smk_inode = final; 3501 3502 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3503 3504 unlockandout: 3505 mutex_unlock(&isp->smk_lock); 3506 return; 3507 } 3508 3509 /** 3510 * smack_getprocattr - Smack process attribute access 3511 * @p: the object task 3512 * @name: the name of the attribute in /proc/.../attr 3513 * @value: where to put the result 3514 * 3515 * Places a copy of the task Smack into value 3516 * 3517 * Returns the length of the smack label or an error code 3518 */ 3519 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3520 { 3521 struct smack_known *skp = smk_of_task_struct(p); 3522 char *cp; 3523 int slen; 3524 3525 if (strcmp(name, "current") != 0) 3526 return -EINVAL; 3527 3528 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3529 if (cp == NULL) 3530 return -ENOMEM; 3531 3532 slen = strlen(cp); 3533 *value = cp; 3534 return slen; 3535 } 3536 3537 /** 3538 * smack_setprocattr - Smack process attribute setting 3539 * @p: the object task 3540 * @name: the name of the attribute in /proc/.../attr 3541 * @value: the value to set 3542 * @size: the size of the value 3543 * 3544 * Sets the Smack value of the task. Only setting self 3545 * is permitted and only with privilege 3546 * 3547 * Returns the length of the smack label or an error code 3548 */ 3549 static int smack_setprocattr(struct task_struct *p, char *name, 3550 void *value, size_t size) 3551 { 3552 struct task_smack *tsp; 3553 struct cred *new; 3554 struct smack_known *skp; 3555 3556 /* 3557 * Changing another process' Smack value is too dangerous 3558 * and supports no sane use case. 3559 */ 3560 if (p != current) 3561 return -EPERM; 3562 3563 if (!smack_privileged(CAP_MAC_ADMIN)) 3564 return -EPERM; 3565 3566 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3567 return -EINVAL; 3568 3569 if (strcmp(name, "current") != 0) 3570 return -EINVAL; 3571 3572 skp = smk_import_entry(value, size); 3573 if (IS_ERR(skp)) 3574 return PTR_ERR(skp); 3575 3576 /* 3577 * No process is ever allowed the web ("@") label. 3578 */ 3579 if (skp == &smack_known_web) 3580 return -EPERM; 3581 3582 new = prepare_creds(); 3583 if (new == NULL) 3584 return -ENOMEM; 3585 3586 tsp = new->security; 3587 tsp->smk_task = skp; 3588 3589 commit_creds(new); 3590 return size; 3591 } 3592 3593 /** 3594 * smack_unix_stream_connect - Smack access on UDS 3595 * @sock: one sock 3596 * @other: the other sock 3597 * @newsk: unused 3598 * 3599 * Return 0 if a subject with the smack of sock could access 3600 * an object with the smack of other, otherwise an error code 3601 */ 3602 static int smack_unix_stream_connect(struct sock *sock, 3603 struct sock *other, struct sock *newsk) 3604 { 3605 struct smack_known *skp; 3606 struct smack_known *okp; 3607 struct socket_smack *ssp = sock->sk_security; 3608 struct socket_smack *osp = other->sk_security; 3609 struct socket_smack *nsp = newsk->sk_security; 3610 struct smk_audit_info ad; 3611 int rc = 0; 3612 #ifdef CONFIG_AUDIT 3613 struct lsm_network_audit net; 3614 #endif 3615 3616 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3617 skp = ssp->smk_out; 3618 okp = osp->smk_in; 3619 #ifdef CONFIG_AUDIT 3620 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3621 smk_ad_setfield_u_net_sk(&ad, other); 3622 #endif 3623 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3624 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3625 if (rc == 0) { 3626 okp = osp->smk_out; 3627 skp = ssp->smk_in; 3628 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3629 rc = smk_bu_note("UDS connect", okp, skp, 3630 MAY_WRITE, rc); 3631 } 3632 } 3633 3634 /* 3635 * Cross reference the peer labels for SO_PEERSEC. 3636 */ 3637 if (rc == 0) { 3638 nsp->smk_packet = ssp->smk_out; 3639 ssp->smk_packet = osp->smk_out; 3640 } 3641 3642 return rc; 3643 } 3644 3645 /** 3646 * smack_unix_may_send - Smack access on UDS 3647 * @sock: one socket 3648 * @other: the other socket 3649 * 3650 * Return 0 if a subject with the smack of sock could access 3651 * an object with the smack of other, otherwise an error code 3652 */ 3653 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3654 { 3655 struct socket_smack *ssp = sock->sk->sk_security; 3656 struct socket_smack *osp = other->sk->sk_security; 3657 struct smk_audit_info ad; 3658 int rc; 3659 3660 #ifdef CONFIG_AUDIT 3661 struct lsm_network_audit net; 3662 3663 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3664 smk_ad_setfield_u_net_sk(&ad, other->sk); 3665 #endif 3666 3667 if (smack_privileged(CAP_MAC_OVERRIDE)) 3668 return 0; 3669 3670 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3671 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3672 return rc; 3673 } 3674 3675 /** 3676 * smack_socket_sendmsg - Smack check based on destination host 3677 * @sock: the socket 3678 * @msg: the message 3679 * @size: the size of the message 3680 * 3681 * Return 0 if the current subject can write to the destination host. 3682 * For IPv4 this is only a question if the destination is a single label host. 3683 * For IPv6 this is a check against the label of the port. 3684 */ 3685 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3686 int size) 3687 { 3688 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3689 #if IS_ENABLED(CONFIG_IPV6) 3690 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3691 #endif 3692 #ifdef SMACK_IPV6_SECMARK_LABELING 3693 struct socket_smack *ssp = sock->sk->sk_security; 3694 struct smack_known *rsp; 3695 #endif 3696 int rc = 0; 3697 3698 /* 3699 * Perfectly reasonable for this to be NULL 3700 */ 3701 if (sip == NULL) 3702 return 0; 3703 3704 switch (sip->sin_family) { 3705 case AF_INET: 3706 rc = smack_netlabel_send(sock->sk, sip); 3707 break; 3708 case AF_INET6: 3709 #ifdef SMACK_IPV6_SECMARK_LABELING 3710 rsp = smack_ipv6host_label(sap); 3711 if (rsp != NULL) 3712 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3713 SMK_CONNECTING); 3714 #endif 3715 #ifdef SMACK_IPV6_PORT_LABELING 3716 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3717 #endif 3718 break; 3719 } 3720 return rc; 3721 } 3722 3723 /** 3724 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3725 * @sap: netlabel secattr 3726 * @ssp: socket security information 3727 * 3728 * Returns a pointer to a Smack label entry found on the label list. 3729 */ 3730 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3731 struct socket_smack *ssp) 3732 { 3733 struct smack_known *skp; 3734 int found = 0; 3735 int acat; 3736 int kcat; 3737 3738 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3739 /* 3740 * Looks like a CIPSO packet. 3741 * If there are flags but no level netlabel isn't 3742 * behaving the way we expect it to. 3743 * 3744 * Look it up in the label table 3745 * Without guidance regarding the smack value 3746 * for the packet fall back on the network 3747 * ambient value. 3748 */ 3749 rcu_read_lock(); 3750 list_for_each_entry(skp, &smack_known_list, list) { 3751 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3752 continue; 3753 /* 3754 * Compare the catsets. Use the netlbl APIs. 3755 */ 3756 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3757 if ((skp->smk_netlabel.flags & 3758 NETLBL_SECATTR_MLS_CAT) == 0) 3759 found = 1; 3760 break; 3761 } 3762 for (acat = -1, kcat = -1; acat == kcat; ) { 3763 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3764 acat + 1); 3765 kcat = netlbl_catmap_walk( 3766 skp->smk_netlabel.attr.mls.cat, 3767 kcat + 1); 3768 if (acat < 0 || kcat < 0) 3769 break; 3770 } 3771 if (acat == kcat) { 3772 found = 1; 3773 break; 3774 } 3775 } 3776 rcu_read_unlock(); 3777 3778 if (found) 3779 return skp; 3780 3781 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3782 return &smack_known_web; 3783 return &smack_known_star; 3784 } 3785 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 3786 /* 3787 * Looks like a fallback, which gives us a secid. 3788 */ 3789 skp = smack_from_secid(sap->attr.secid); 3790 /* 3791 * This has got to be a bug because it is 3792 * impossible to specify a fallback without 3793 * specifying the label, which will ensure 3794 * it has a secid, and the only way to get a 3795 * secid is from a fallback. 3796 */ 3797 BUG_ON(skp == NULL); 3798 return skp; 3799 } 3800 /* 3801 * Without guidance regarding the smack value 3802 * for the packet fall back on the network 3803 * ambient value. 3804 */ 3805 return smack_net_ambient; 3806 } 3807 3808 #if IS_ENABLED(CONFIG_IPV6) 3809 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3810 { 3811 u8 nexthdr; 3812 int offset; 3813 int proto = -EINVAL; 3814 struct ipv6hdr _ipv6h; 3815 struct ipv6hdr *ip6; 3816 __be16 frag_off; 3817 struct tcphdr _tcph, *th; 3818 struct udphdr _udph, *uh; 3819 struct dccp_hdr _dccph, *dh; 3820 3821 sip->sin6_port = 0; 3822 3823 offset = skb_network_offset(skb); 3824 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3825 if (ip6 == NULL) 3826 return -EINVAL; 3827 sip->sin6_addr = ip6->saddr; 3828 3829 nexthdr = ip6->nexthdr; 3830 offset += sizeof(_ipv6h); 3831 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3832 if (offset < 0) 3833 return -EINVAL; 3834 3835 proto = nexthdr; 3836 switch (proto) { 3837 case IPPROTO_TCP: 3838 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3839 if (th != NULL) 3840 sip->sin6_port = th->source; 3841 break; 3842 case IPPROTO_UDP: 3843 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3844 if (uh != NULL) 3845 sip->sin6_port = uh->source; 3846 break; 3847 case IPPROTO_DCCP: 3848 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3849 if (dh != NULL) 3850 sip->sin6_port = dh->dccph_sport; 3851 break; 3852 } 3853 return proto; 3854 } 3855 #endif /* CONFIG_IPV6 */ 3856 3857 /** 3858 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3859 * @sk: socket 3860 * @skb: packet 3861 * 3862 * Returns 0 if the packet should be delivered, an error code otherwise 3863 */ 3864 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3865 { 3866 struct netlbl_lsm_secattr secattr; 3867 struct socket_smack *ssp = sk->sk_security; 3868 struct smack_known *skp = NULL; 3869 int rc = 0; 3870 struct smk_audit_info ad; 3871 #ifdef CONFIG_AUDIT 3872 struct lsm_network_audit net; 3873 #endif 3874 #if IS_ENABLED(CONFIG_IPV6) 3875 struct sockaddr_in6 sadd; 3876 int proto; 3877 #endif /* CONFIG_IPV6 */ 3878 3879 switch (sk->sk_family) { 3880 case PF_INET: 3881 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3882 /* 3883 * If there is a secmark use it rather than the CIPSO label. 3884 * If there is no secmark fall back to CIPSO. 3885 * The secmark is assumed to reflect policy better. 3886 */ 3887 if (skb && skb->secmark != 0) { 3888 skp = smack_from_secid(skb->secmark); 3889 goto access_check; 3890 } 3891 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3892 /* 3893 * Translate what netlabel gave us. 3894 */ 3895 netlbl_secattr_init(&secattr); 3896 3897 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3898 if (rc == 0) 3899 skp = smack_from_secattr(&secattr, ssp); 3900 else 3901 skp = smack_net_ambient; 3902 3903 netlbl_secattr_destroy(&secattr); 3904 3905 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3906 access_check: 3907 #endif 3908 #ifdef CONFIG_AUDIT 3909 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3910 ad.a.u.net->family = sk->sk_family; 3911 ad.a.u.net->netif = skb->skb_iif; 3912 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3913 #endif 3914 /* 3915 * Receiving a packet requires that the other end 3916 * be able to write here. Read access is not required. 3917 * This is the simplist possible security model 3918 * for networking. 3919 */ 3920 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3921 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3922 MAY_WRITE, rc); 3923 if (rc != 0) 3924 netlbl_skbuff_err(skb, rc, 0); 3925 break; 3926 #if IS_ENABLED(CONFIG_IPV6) 3927 case PF_INET6: 3928 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3929 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 3930 break; 3931 #ifdef SMACK_IPV6_SECMARK_LABELING 3932 if (skb && skb->secmark != 0) 3933 skp = smack_from_secid(skb->secmark); 3934 else 3935 skp = smack_ipv6host_label(&sadd); 3936 if (skp == NULL) 3937 skp = smack_net_ambient; 3938 #ifdef CONFIG_AUDIT 3939 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3940 ad.a.u.net->family = sk->sk_family; 3941 ad.a.u.net->netif = skb->skb_iif; 3942 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3943 #endif /* CONFIG_AUDIT */ 3944 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3945 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3946 MAY_WRITE, rc); 3947 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3948 #ifdef SMACK_IPV6_PORT_LABELING 3949 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3950 #endif /* SMACK_IPV6_PORT_LABELING */ 3951 break; 3952 #endif /* CONFIG_IPV6 */ 3953 } 3954 3955 return rc; 3956 } 3957 3958 /** 3959 * smack_socket_getpeersec_stream - pull in packet label 3960 * @sock: the socket 3961 * @optval: user's destination 3962 * @optlen: size thereof 3963 * @len: max thereof 3964 * 3965 * returns zero on success, an error code otherwise 3966 */ 3967 static int smack_socket_getpeersec_stream(struct socket *sock, 3968 char __user *optval, 3969 int __user *optlen, unsigned len) 3970 { 3971 struct socket_smack *ssp; 3972 char *rcp = ""; 3973 int slen = 1; 3974 int rc = 0; 3975 3976 ssp = sock->sk->sk_security; 3977 if (ssp->smk_packet != NULL) { 3978 rcp = ssp->smk_packet->smk_known; 3979 slen = strlen(rcp) + 1; 3980 } 3981 3982 if (slen > len) 3983 rc = -ERANGE; 3984 else if (copy_to_user(optval, rcp, slen) != 0) 3985 rc = -EFAULT; 3986 3987 if (put_user(slen, optlen) != 0) 3988 rc = -EFAULT; 3989 3990 return rc; 3991 } 3992 3993 3994 /** 3995 * smack_socket_getpeersec_dgram - pull in packet label 3996 * @sock: the peer socket 3997 * @skb: packet data 3998 * @secid: pointer to where to put the secid of the packet 3999 * 4000 * Sets the netlabel socket state on sk from parent 4001 */ 4002 static int smack_socket_getpeersec_dgram(struct socket *sock, 4003 struct sk_buff *skb, u32 *secid) 4004 4005 { 4006 struct netlbl_lsm_secattr secattr; 4007 struct socket_smack *ssp = NULL; 4008 struct smack_known *skp; 4009 int family = PF_UNSPEC; 4010 u32 s = 0; /* 0 is the invalid secid */ 4011 int rc; 4012 4013 if (skb != NULL) { 4014 if (skb->protocol == htons(ETH_P_IP)) 4015 family = PF_INET; 4016 #if IS_ENABLED(CONFIG_IPV6) 4017 else if (skb->protocol == htons(ETH_P_IPV6)) 4018 family = PF_INET6; 4019 #endif /* CONFIG_IPV6 */ 4020 } 4021 if (family == PF_UNSPEC && sock != NULL) 4022 family = sock->sk->sk_family; 4023 4024 switch (family) { 4025 case PF_UNIX: 4026 ssp = sock->sk->sk_security; 4027 s = ssp->smk_out->smk_secid; 4028 break; 4029 case PF_INET: 4030 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4031 s = skb->secmark; 4032 if (s != 0) 4033 break; 4034 #endif 4035 /* 4036 * Translate what netlabel gave us. 4037 */ 4038 if (sock != NULL && sock->sk != NULL) 4039 ssp = sock->sk->sk_security; 4040 netlbl_secattr_init(&secattr); 4041 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4042 if (rc == 0) { 4043 skp = smack_from_secattr(&secattr, ssp); 4044 s = skp->smk_secid; 4045 } 4046 netlbl_secattr_destroy(&secattr); 4047 break; 4048 case PF_INET6: 4049 #ifdef SMACK_IPV6_SECMARK_LABELING 4050 s = skb->secmark; 4051 #endif 4052 break; 4053 } 4054 *secid = s; 4055 if (s == 0) 4056 return -EINVAL; 4057 return 0; 4058 } 4059 4060 /** 4061 * smack_sock_graft - Initialize a newly created socket with an existing sock 4062 * @sk: child sock 4063 * @parent: parent socket 4064 * 4065 * Set the smk_{in,out} state of an existing sock based on the process that 4066 * is creating the new socket. 4067 */ 4068 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4069 { 4070 struct socket_smack *ssp; 4071 struct smack_known *skp = smk_of_current(); 4072 4073 if (sk == NULL || 4074 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4075 return; 4076 4077 ssp = sk->sk_security; 4078 ssp->smk_in = skp; 4079 ssp->smk_out = skp; 4080 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4081 } 4082 4083 /** 4084 * smack_inet_conn_request - Smack access check on connect 4085 * @sk: socket involved 4086 * @skb: packet 4087 * @req: unused 4088 * 4089 * Returns 0 if a task with the packet label could write to 4090 * the socket, otherwise an error code 4091 */ 4092 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4093 struct request_sock *req) 4094 { 4095 u16 family = sk->sk_family; 4096 struct smack_known *skp; 4097 struct socket_smack *ssp = sk->sk_security; 4098 struct netlbl_lsm_secattr secattr; 4099 struct sockaddr_in addr; 4100 struct iphdr *hdr; 4101 struct smack_known *hskp; 4102 int rc; 4103 struct smk_audit_info ad; 4104 #ifdef CONFIG_AUDIT 4105 struct lsm_network_audit net; 4106 #endif 4107 4108 #if IS_ENABLED(CONFIG_IPV6) 4109 if (family == PF_INET6) { 4110 /* 4111 * Handle mapped IPv4 packets arriving 4112 * via IPv6 sockets. Don't set up netlabel 4113 * processing on IPv6. 4114 */ 4115 if (skb->protocol == htons(ETH_P_IP)) 4116 family = PF_INET; 4117 else 4118 return 0; 4119 } 4120 #endif /* CONFIG_IPV6 */ 4121 4122 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4123 /* 4124 * If there is a secmark use it rather than the CIPSO label. 4125 * If there is no secmark fall back to CIPSO. 4126 * The secmark is assumed to reflect policy better. 4127 */ 4128 if (skb && skb->secmark != 0) { 4129 skp = smack_from_secid(skb->secmark); 4130 goto access_check; 4131 } 4132 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4133 4134 netlbl_secattr_init(&secattr); 4135 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4136 if (rc == 0) 4137 skp = smack_from_secattr(&secattr, ssp); 4138 else 4139 skp = &smack_known_huh; 4140 netlbl_secattr_destroy(&secattr); 4141 4142 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4143 access_check: 4144 #endif 4145 4146 #ifdef CONFIG_AUDIT 4147 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4148 ad.a.u.net->family = family; 4149 ad.a.u.net->netif = skb->skb_iif; 4150 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4151 #endif 4152 /* 4153 * Receiving a packet requires that the other end be able to write 4154 * here. Read access is not required. 4155 */ 4156 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4157 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4158 if (rc != 0) 4159 return rc; 4160 4161 /* 4162 * Save the peer's label in the request_sock so we can later setup 4163 * smk_packet in the child socket so that SO_PEERCRED can report it. 4164 */ 4165 req->peer_secid = skp->smk_secid; 4166 4167 /* 4168 * We need to decide if we want to label the incoming connection here 4169 * if we do we only need to label the request_sock and the stack will 4170 * propagate the wire-label to the sock when it is created. 4171 */ 4172 hdr = ip_hdr(skb); 4173 addr.sin_addr.s_addr = hdr->saddr; 4174 rcu_read_lock(); 4175 hskp = smack_ipv4host_label(&addr); 4176 rcu_read_unlock(); 4177 4178 if (hskp == NULL) 4179 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4180 else 4181 netlbl_req_delattr(req); 4182 4183 return rc; 4184 } 4185 4186 /** 4187 * smack_inet_csk_clone - Copy the connection information to the new socket 4188 * @sk: the new socket 4189 * @req: the connection's request_sock 4190 * 4191 * Transfer the connection's peer label to the newly created socket. 4192 */ 4193 static void smack_inet_csk_clone(struct sock *sk, 4194 const struct request_sock *req) 4195 { 4196 struct socket_smack *ssp = sk->sk_security; 4197 struct smack_known *skp; 4198 4199 if (req->peer_secid != 0) { 4200 skp = smack_from_secid(req->peer_secid); 4201 ssp->smk_packet = skp; 4202 } else 4203 ssp->smk_packet = NULL; 4204 } 4205 4206 /* 4207 * Key management security hooks 4208 * 4209 * Casey has not tested key support very heavily. 4210 * The permission check is most likely too restrictive. 4211 * If you care about keys please have a look. 4212 */ 4213 #ifdef CONFIG_KEYS 4214 4215 /** 4216 * smack_key_alloc - Set the key security blob 4217 * @key: object 4218 * @cred: the credentials to use 4219 * @flags: unused 4220 * 4221 * No allocation required 4222 * 4223 * Returns 0 4224 */ 4225 static int smack_key_alloc(struct key *key, const struct cred *cred, 4226 unsigned long flags) 4227 { 4228 struct smack_known *skp = smk_of_task(cred->security); 4229 4230 key->security = skp; 4231 return 0; 4232 } 4233 4234 /** 4235 * smack_key_free - Clear the key security blob 4236 * @key: the object 4237 * 4238 * Clear the blob pointer 4239 */ 4240 static void smack_key_free(struct key *key) 4241 { 4242 key->security = NULL; 4243 } 4244 4245 /** 4246 * smack_key_permission - Smack access on a key 4247 * @key_ref: gets to the object 4248 * @cred: the credentials to use 4249 * @perm: requested key permissions 4250 * 4251 * Return 0 if the task has read and write to the object, 4252 * an error code otherwise 4253 */ 4254 static int smack_key_permission(key_ref_t key_ref, 4255 const struct cred *cred, unsigned perm) 4256 { 4257 struct key *keyp; 4258 struct smk_audit_info ad; 4259 struct smack_known *tkp = smk_of_task(cred->security); 4260 int request = 0; 4261 int rc; 4262 4263 keyp = key_ref_to_ptr(key_ref); 4264 if (keyp == NULL) 4265 return -EINVAL; 4266 /* 4267 * If the key hasn't been initialized give it access so that 4268 * it may do so. 4269 */ 4270 if (keyp->security == NULL) 4271 return 0; 4272 /* 4273 * This should not occur 4274 */ 4275 if (tkp == NULL) 4276 return -EACCES; 4277 #ifdef CONFIG_AUDIT 4278 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4279 ad.a.u.key_struct.key = keyp->serial; 4280 ad.a.u.key_struct.key_desc = keyp->description; 4281 #endif 4282 if (perm & KEY_NEED_READ) 4283 request = MAY_READ; 4284 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4285 request = MAY_WRITE; 4286 rc = smk_access(tkp, keyp->security, request, &ad); 4287 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4288 return rc; 4289 } 4290 4291 /* 4292 * smack_key_getsecurity - Smack label tagging the key 4293 * @key points to the key to be queried 4294 * @_buffer points to a pointer that should be set to point to the 4295 * resulting string (if no label or an error occurs). 4296 * Return the length of the string (including terminating NUL) or -ve if 4297 * an error. 4298 * May also return 0 (and a NULL buffer pointer) if there is no label. 4299 */ 4300 static int smack_key_getsecurity(struct key *key, char **_buffer) 4301 { 4302 struct smack_known *skp = key->security; 4303 size_t length; 4304 char *copy; 4305 4306 if (key->security == NULL) { 4307 *_buffer = NULL; 4308 return 0; 4309 } 4310 4311 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4312 if (copy == NULL) 4313 return -ENOMEM; 4314 length = strlen(copy) + 1; 4315 4316 *_buffer = copy; 4317 return length; 4318 } 4319 4320 #endif /* CONFIG_KEYS */ 4321 4322 /* 4323 * Smack Audit hooks 4324 * 4325 * Audit requires a unique representation of each Smack specific 4326 * rule. This unique representation is used to distinguish the 4327 * object to be audited from remaining kernel objects and also 4328 * works as a glue between the audit hooks. 4329 * 4330 * Since repository entries are added but never deleted, we'll use 4331 * the smack_known label address related to the given audit rule as 4332 * the needed unique representation. This also better fits the smack 4333 * model where nearly everything is a label. 4334 */ 4335 #ifdef CONFIG_AUDIT 4336 4337 /** 4338 * smack_audit_rule_init - Initialize a smack audit rule 4339 * @field: audit rule fields given from user-space (audit.h) 4340 * @op: required testing operator (=, !=, >, <, ...) 4341 * @rulestr: smack label to be audited 4342 * @vrule: pointer to save our own audit rule representation 4343 * 4344 * Prepare to audit cases where (@field @op @rulestr) is true. 4345 * The label to be audited is created if necessay. 4346 */ 4347 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4348 { 4349 struct smack_known *skp; 4350 char **rule = (char **)vrule; 4351 *rule = NULL; 4352 4353 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4354 return -EINVAL; 4355 4356 if (op != Audit_equal && op != Audit_not_equal) 4357 return -EINVAL; 4358 4359 skp = smk_import_entry(rulestr, 0); 4360 if (IS_ERR(skp)) 4361 return PTR_ERR(skp); 4362 4363 *rule = skp->smk_known; 4364 4365 return 0; 4366 } 4367 4368 /** 4369 * smack_audit_rule_known - Distinguish Smack audit rules 4370 * @krule: rule of interest, in Audit kernel representation format 4371 * 4372 * This is used to filter Smack rules from remaining Audit ones. 4373 * If it's proved that this rule belongs to us, the 4374 * audit_rule_match hook will be called to do the final judgement. 4375 */ 4376 static int smack_audit_rule_known(struct audit_krule *krule) 4377 { 4378 struct audit_field *f; 4379 int i; 4380 4381 for (i = 0; i < krule->field_count; i++) { 4382 f = &krule->fields[i]; 4383 4384 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4385 return 1; 4386 } 4387 4388 return 0; 4389 } 4390 4391 /** 4392 * smack_audit_rule_match - Audit given object ? 4393 * @secid: security id for identifying the object to test 4394 * @field: audit rule flags given from user-space 4395 * @op: required testing operator 4396 * @vrule: smack internal rule presentation 4397 * @actx: audit context associated with the check 4398 * 4399 * The core Audit hook. It's used to take the decision of 4400 * whether to audit or not to audit a given object. 4401 */ 4402 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4403 struct audit_context *actx) 4404 { 4405 struct smack_known *skp; 4406 char *rule = vrule; 4407 4408 if (unlikely(!rule)) { 4409 WARN_ONCE(1, "Smack: missing rule\n"); 4410 return -ENOENT; 4411 } 4412 4413 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4414 return 0; 4415 4416 skp = smack_from_secid(secid); 4417 4418 /* 4419 * No need to do string comparisons. If a match occurs, 4420 * both pointers will point to the same smack_known 4421 * label. 4422 */ 4423 if (op == Audit_equal) 4424 return (rule == skp->smk_known); 4425 if (op == Audit_not_equal) 4426 return (rule != skp->smk_known); 4427 4428 return 0; 4429 } 4430 4431 /** 4432 * smack_audit_rule_free - free smack rule representation 4433 * @vrule: rule to be freed. 4434 * 4435 * No memory was allocated. 4436 */ 4437 static void smack_audit_rule_free(void *vrule) 4438 { 4439 /* No-op */ 4440 } 4441 4442 #endif /* CONFIG_AUDIT */ 4443 4444 /** 4445 * smack_ismaclabel - check if xattr @name references a smack MAC label 4446 * @name: Full xattr name to check. 4447 */ 4448 static int smack_ismaclabel(const char *name) 4449 { 4450 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4451 } 4452 4453 4454 /** 4455 * smack_secid_to_secctx - return the smack label for a secid 4456 * @secid: incoming integer 4457 * @secdata: destination 4458 * @seclen: how long it is 4459 * 4460 * Exists for networking code. 4461 */ 4462 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4463 { 4464 struct smack_known *skp = smack_from_secid(secid); 4465 4466 if (secdata) 4467 *secdata = skp->smk_known; 4468 *seclen = strlen(skp->smk_known); 4469 return 0; 4470 } 4471 4472 /** 4473 * smack_secctx_to_secid - return the secid for a smack label 4474 * @secdata: smack label 4475 * @seclen: how long result is 4476 * @secid: outgoing integer 4477 * 4478 * Exists for audit and networking code. 4479 */ 4480 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4481 { 4482 struct smack_known *skp = smk_find_entry(secdata); 4483 4484 if (skp) 4485 *secid = skp->smk_secid; 4486 else 4487 *secid = 0; 4488 return 0; 4489 } 4490 4491 /** 4492 * smack_release_secctx - don't do anything. 4493 * @secdata: unused 4494 * @seclen: unused 4495 * 4496 * Exists to make sure nothing gets done, and properly 4497 */ 4498 static void smack_release_secctx(char *secdata, u32 seclen) 4499 { 4500 } 4501 4502 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4503 { 4504 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4505 } 4506 4507 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4508 { 4509 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4510 } 4511 4512 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4513 { 4514 int len = 0; 4515 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4516 4517 if (len < 0) 4518 return len; 4519 *ctxlen = len; 4520 return 0; 4521 } 4522 4523 static struct security_hook_list smack_hooks[] = { 4524 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4525 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4526 LSM_HOOK_INIT(syslog, smack_syslog), 4527 4528 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4529 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4530 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4531 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4532 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4533 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4534 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4535 4536 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4537 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4538 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4539 4540 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4541 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4542 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4543 LSM_HOOK_INIT(inode_link, smack_inode_link), 4544 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4545 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4546 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4547 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4548 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4549 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4550 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4551 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4552 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4553 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4554 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4555 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4556 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4557 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4558 4559 LSM_HOOK_INIT(file_permission, smack_file_permission), 4560 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4561 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4562 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4563 LSM_HOOK_INIT(file_lock, smack_file_lock), 4564 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4565 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4566 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4567 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4568 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4569 LSM_HOOK_INIT(file_receive, smack_file_receive), 4570 4571 LSM_HOOK_INIT(file_open, smack_file_open), 4572 4573 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4574 LSM_HOOK_INIT(cred_free, smack_cred_free), 4575 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4576 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4577 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4578 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4579 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4580 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4581 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4582 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4583 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4584 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4585 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4586 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4587 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4588 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4589 LSM_HOOK_INIT(task_kill, smack_task_kill), 4590 LSM_HOOK_INIT(task_wait, smack_task_wait), 4591 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4592 4593 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4594 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4595 4596 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4597 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4598 4599 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4600 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4601 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4602 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4603 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4604 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4605 4606 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4607 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4608 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4609 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4610 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4611 4612 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4613 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4614 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4615 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4616 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4617 4618 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4619 4620 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4621 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4622 4623 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4624 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4625 4626 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4627 #ifdef SMACK_IPV6_PORT_LABELING 4628 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4629 #endif 4630 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4631 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4632 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4633 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4634 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4635 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4636 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4637 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4638 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4639 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4640 4641 /* key management security hooks */ 4642 #ifdef CONFIG_KEYS 4643 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4644 LSM_HOOK_INIT(key_free, smack_key_free), 4645 LSM_HOOK_INIT(key_permission, smack_key_permission), 4646 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4647 #endif /* CONFIG_KEYS */ 4648 4649 /* Audit hooks */ 4650 #ifdef CONFIG_AUDIT 4651 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4652 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4653 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4654 LSM_HOOK_INIT(audit_rule_free, smack_audit_rule_free), 4655 #endif /* CONFIG_AUDIT */ 4656 4657 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4658 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4659 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4660 LSM_HOOK_INIT(release_secctx, smack_release_secctx), 4661 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4662 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4663 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4664 }; 4665 4666 4667 static __init void init_smack_known_list(void) 4668 { 4669 /* 4670 * Initialize rule list locks 4671 */ 4672 mutex_init(&smack_known_huh.smk_rules_lock); 4673 mutex_init(&smack_known_hat.smk_rules_lock); 4674 mutex_init(&smack_known_floor.smk_rules_lock); 4675 mutex_init(&smack_known_star.smk_rules_lock); 4676 mutex_init(&smack_known_invalid.smk_rules_lock); 4677 mutex_init(&smack_known_web.smk_rules_lock); 4678 /* 4679 * Initialize rule lists 4680 */ 4681 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4682 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4683 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4684 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4685 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 4686 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4687 /* 4688 * Create the known labels list 4689 */ 4690 smk_insert_entry(&smack_known_huh); 4691 smk_insert_entry(&smack_known_hat); 4692 smk_insert_entry(&smack_known_star); 4693 smk_insert_entry(&smack_known_floor); 4694 smk_insert_entry(&smack_known_invalid); 4695 smk_insert_entry(&smack_known_web); 4696 } 4697 4698 /** 4699 * smack_init - initialize the smack system 4700 * 4701 * Returns 0 4702 */ 4703 static __init int smack_init(void) 4704 { 4705 struct cred *cred; 4706 struct task_smack *tsp; 4707 4708 if (!security_module_enable("smack")) 4709 return 0; 4710 4711 smack_enabled = 1; 4712 4713 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4714 if (!smack_inode_cache) 4715 return -ENOMEM; 4716 4717 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4718 GFP_KERNEL); 4719 if (tsp == NULL) { 4720 kmem_cache_destroy(smack_inode_cache); 4721 return -ENOMEM; 4722 } 4723 4724 pr_info("Smack: Initializing.\n"); 4725 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4726 pr_info("Smack: Netfilter enabled.\n"); 4727 #endif 4728 #ifdef SMACK_IPV6_PORT_LABELING 4729 pr_info("Smack: IPv6 port labeling enabled.\n"); 4730 #endif 4731 #ifdef SMACK_IPV6_SECMARK_LABELING 4732 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4733 #endif 4734 4735 /* 4736 * Set the security state for the initial task. 4737 */ 4738 cred = (struct cred *) current->cred; 4739 cred->security = tsp; 4740 4741 /* initialize the smack_known_list */ 4742 init_smack_known_list(); 4743 4744 /* 4745 * Register with LSM 4746 */ 4747 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4748 4749 return 0; 4750 } 4751 4752 /* 4753 * Smack requires early initialization in order to label 4754 * all processes and objects when they are created. 4755 */ 4756 security_initcall(smack_init); 4757