1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 smack_str_from_perm(s, mode); 111 } 112 #endif 113 114 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 115 static int smk_bu_note(char *note, struct smack_known *sskp, 116 struct smack_known *oskp, int mode, int rc) 117 { 118 char acc[SMK_NUM_ACCESS_TYPE + 1]; 119 120 if (rc <= 0) 121 return rc; 122 if (rc > SMACK_UNCONFINED_OBJECT) 123 rc = 0; 124 125 smk_bu_mode(mode, acc); 126 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 127 sskp->smk_known, oskp->smk_known, acc, note); 128 return 0; 129 } 130 #else 131 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 132 #endif 133 134 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 135 static int smk_bu_current(char *note, struct smack_known *oskp, 136 int mode, int rc) 137 { 138 struct task_smack *tsp = smack_cred(current_cred()); 139 char acc[SMK_NUM_ACCESS_TYPE + 1]; 140 141 if (rc <= 0) 142 return rc; 143 if (rc > SMACK_UNCONFINED_OBJECT) 144 rc = 0; 145 146 smk_bu_mode(mode, acc); 147 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 148 tsp->smk_task->smk_known, oskp->smk_known, 149 acc, current->comm, note); 150 return 0; 151 } 152 #else 153 #define smk_bu_current(note, oskp, mode, RC) (RC) 154 #endif 155 156 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 157 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 158 { 159 struct task_smack *tsp = smack_cred(current_cred()); 160 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 161 char acc[SMK_NUM_ACCESS_TYPE + 1]; 162 163 if (rc <= 0) 164 return rc; 165 if (rc > SMACK_UNCONFINED_OBJECT) 166 rc = 0; 167 168 smk_bu_mode(mode, acc); 169 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 170 tsp->smk_task->smk_known, smk_task->smk_known, acc, 171 current->comm, otp->comm); 172 return 0; 173 } 174 #else 175 #define smk_bu_task(otp, mode, RC) (RC) 176 #endif 177 178 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 179 static int smk_bu_inode(struct inode *inode, int mode, int rc) 180 { 181 struct task_smack *tsp = smack_cred(current_cred()); 182 struct inode_smack *isp = smack_inode(inode); 183 char acc[SMK_NUM_ACCESS_TYPE + 1]; 184 185 if (isp->smk_flags & SMK_INODE_IMPURE) 186 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 187 inode->i_sb->s_id, inode->i_ino, current->comm); 188 189 if (rc <= 0) 190 return rc; 191 if (rc > SMACK_UNCONFINED_OBJECT) 192 rc = 0; 193 if (rc == SMACK_UNCONFINED_SUBJECT && 194 (mode & (MAY_WRITE | MAY_APPEND))) 195 isp->smk_flags |= SMK_INODE_IMPURE; 196 197 smk_bu_mode(mode, acc); 198 199 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 200 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 201 inode->i_sb->s_id, inode->i_ino, current->comm); 202 return 0; 203 } 204 #else 205 #define smk_bu_inode(inode, mode, RC) (RC) 206 #endif 207 208 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 209 static int smk_bu_file(struct file *file, int mode, int rc) 210 { 211 struct task_smack *tsp = smack_cred(current_cred()); 212 struct smack_known *sskp = tsp->smk_task; 213 struct inode *inode = file_inode(file); 214 struct inode_smack *isp = smack_inode(inode); 215 char acc[SMK_NUM_ACCESS_TYPE + 1]; 216 217 if (isp->smk_flags & SMK_INODE_IMPURE) 218 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 219 inode->i_sb->s_id, inode->i_ino, current->comm); 220 221 if (rc <= 0) 222 return rc; 223 if (rc > SMACK_UNCONFINED_OBJECT) 224 rc = 0; 225 226 smk_bu_mode(mode, acc); 227 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 228 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 229 inode->i_sb->s_id, inode->i_ino, file, 230 current->comm); 231 return 0; 232 } 233 #else 234 #define smk_bu_file(file, mode, RC) (RC) 235 #endif 236 237 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 238 static int smk_bu_credfile(const struct cred *cred, struct file *file, 239 int mode, int rc) 240 { 241 struct task_smack *tsp = smack_cred(cred); 242 struct smack_known *sskp = tsp->smk_task; 243 struct inode *inode = file_inode(file); 244 struct inode_smack *isp = smack_inode(inode); 245 char acc[SMK_NUM_ACCESS_TYPE + 1]; 246 247 if (isp->smk_flags & SMK_INODE_IMPURE) 248 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 249 inode->i_sb->s_id, inode->i_ino, current->comm); 250 251 if (rc <= 0) 252 return rc; 253 if (rc > SMACK_UNCONFINED_OBJECT) 254 rc = 0; 255 256 smk_bu_mode(mode, acc); 257 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 258 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 259 inode->i_sb->s_id, inode->i_ino, file, 260 current->comm); 261 return 0; 262 } 263 #else 264 #define smk_bu_credfile(cred, file, mode, RC) (RC) 265 #endif 266 267 /** 268 * smk_fetch - Fetch the smack label from a file. 269 * @name: type of the label (attribute) 270 * @ip: a pointer to the inode 271 * @dp: a pointer to the dentry 272 * 273 * Returns a pointer to the master list entry for the Smack label, 274 * NULL if there was no label to fetch, or an error code. 275 */ 276 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 277 struct dentry *dp) 278 { 279 int rc; 280 char *buffer; 281 struct smack_known *skp = NULL; 282 283 if (!(ip->i_opflags & IOP_XATTR)) 284 return ERR_PTR(-EOPNOTSUPP); 285 286 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 287 if (buffer == NULL) 288 return ERR_PTR(-ENOMEM); 289 290 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 291 if (rc < 0) 292 skp = ERR_PTR(rc); 293 else if (rc == 0) 294 skp = NULL; 295 else 296 skp = smk_import_entry(buffer, rc); 297 298 kfree(buffer); 299 300 return skp; 301 } 302 303 /** 304 * init_inode_smack - initialize an inode security blob 305 * @inode: inode to extract the info from 306 * @skp: a pointer to the Smack label entry to use in the blob 307 * 308 */ 309 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 310 { 311 struct inode_smack *isp = smack_inode(inode); 312 313 isp->smk_inode = skp; 314 isp->smk_flags = 0; 315 } 316 317 /** 318 * init_task_smack - initialize a task security blob 319 * @tsp: blob to initialize 320 * @task: a pointer to the Smack label for the running task 321 * @forked: a pointer to the Smack label for the forked task 322 * 323 */ 324 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 325 struct smack_known *forked) 326 { 327 tsp->smk_task = task; 328 tsp->smk_forked = forked; 329 INIT_LIST_HEAD(&tsp->smk_rules); 330 INIT_LIST_HEAD(&tsp->smk_relabel); 331 mutex_init(&tsp->smk_rules_lock); 332 } 333 334 /** 335 * smk_copy_rules - copy a rule set 336 * @nhead: new rules header pointer 337 * @ohead: old rules header pointer 338 * @gfp: type of the memory for the allocation 339 * 340 * Returns 0 on success, -ENOMEM on error 341 */ 342 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 343 gfp_t gfp) 344 { 345 struct smack_rule *nrp; 346 struct smack_rule *orp; 347 int rc = 0; 348 349 list_for_each_entry_rcu(orp, ohead, list) { 350 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 351 if (nrp == NULL) { 352 rc = -ENOMEM; 353 break; 354 } 355 *nrp = *orp; 356 list_add_rcu(&nrp->list, nhead); 357 } 358 return rc; 359 } 360 361 /** 362 * smk_copy_relabel - copy smk_relabel labels list 363 * @nhead: new rules header pointer 364 * @ohead: old rules header pointer 365 * @gfp: type of the memory for the allocation 366 * 367 * Returns 0 on success, -ENOMEM on error 368 */ 369 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 370 gfp_t gfp) 371 { 372 struct smack_known_list_elem *nklep; 373 struct smack_known_list_elem *oklep; 374 375 list_for_each_entry(oklep, ohead, list) { 376 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 377 if (nklep == NULL) { 378 smk_destroy_label_list(nhead); 379 return -ENOMEM; 380 } 381 nklep->smk_label = oklep->smk_label; 382 list_add(&nklep->list, nhead); 383 } 384 385 return 0; 386 } 387 388 /** 389 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 390 * @mode: input mode in form of PTRACE_MODE_* 391 * 392 * Returns a converted MAY_* mode usable by smack rules 393 */ 394 static inline unsigned int smk_ptrace_mode(unsigned int mode) 395 { 396 if (mode & PTRACE_MODE_ATTACH) 397 return MAY_READWRITE; 398 if (mode & PTRACE_MODE_READ) 399 return MAY_READ; 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_rule_check - helper for ptrace access 406 * @tracer: tracer process 407 * @tracee_known: label entry of the process that's about to be traced 408 * @mode: ptrace attachment mode (PTRACE_MODE_*) 409 * @func: name of the function that called us, used for audit 410 * 411 * Returns 0 on access granted, -error on error 412 */ 413 static int smk_ptrace_rule_check(struct task_struct *tracer, 414 struct smack_known *tracee_known, 415 unsigned int mode, const char *func) 416 { 417 int rc; 418 struct smk_audit_info ad, *saip = NULL; 419 struct task_smack *tsp; 420 struct smack_known *tracer_known; 421 const struct cred *tracercred; 422 423 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 424 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 425 smk_ad_setfield_u_tsk(&ad, tracer); 426 saip = &ad; 427 } 428 429 rcu_read_lock(); 430 tracercred = __task_cred(tracer); 431 tsp = smack_cred(tracercred); 432 tracer_known = smk_of_task(tsp); 433 434 if ((mode & PTRACE_MODE_ATTACH) && 435 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 436 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 437 if (tracer_known->smk_known == tracee_known->smk_known) 438 rc = 0; 439 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 440 rc = -EACCES; 441 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 442 rc = 0; 443 else 444 rc = -EACCES; 445 446 if (saip) 447 smack_log(tracer_known->smk_known, 448 tracee_known->smk_known, 449 0, rc, saip); 450 451 rcu_read_unlock(); 452 return rc; 453 } 454 455 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 456 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 457 458 rcu_read_unlock(); 459 return rc; 460 } 461 462 /* 463 * LSM hooks. 464 * We he, that is fun! 465 */ 466 467 /** 468 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 469 * @ctp: child task pointer 470 * @mode: ptrace attachment mode (PTRACE_MODE_*) 471 * 472 * Returns 0 if access is OK, an error code otherwise 473 * 474 * Do the capability checks. 475 */ 476 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 477 { 478 struct smack_known *skp; 479 480 skp = smk_of_task_struct_obj(ctp); 481 482 return smk_ptrace_rule_check(current, skp, mode, __func__); 483 } 484 485 /** 486 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 487 * @ptp: parent task pointer 488 * 489 * Returns 0 if access is OK, an error code otherwise 490 * 491 * Do the capability checks, and require PTRACE_MODE_ATTACH. 492 */ 493 static int smack_ptrace_traceme(struct task_struct *ptp) 494 { 495 struct smack_known *skp; 496 497 skp = smk_of_task(smack_cred(current_cred())); 498 499 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 500 } 501 502 /** 503 * smack_syslog - Smack approval on syslog 504 * @typefrom_file: unused 505 * 506 * Returns 0 on success, error code otherwise. 507 */ 508 static int smack_syslog(int typefrom_file) 509 { 510 int rc = 0; 511 struct smack_known *skp = smk_of_current(); 512 513 if (smack_privileged(CAP_MAC_OVERRIDE)) 514 return 0; 515 516 if (smack_syslog_label != NULL && smack_syslog_label != skp) 517 rc = -EACCES; 518 519 return rc; 520 } 521 522 /* 523 * Superblock Hooks. 524 */ 525 526 /** 527 * smack_sb_alloc_security - allocate a superblock blob 528 * @sb: the superblock getting the blob 529 * 530 * Returns 0 on success or -ENOMEM on error. 531 */ 532 static int smack_sb_alloc_security(struct super_block *sb) 533 { 534 struct superblock_smack *sbsp = smack_superblock(sb); 535 536 sbsp->smk_root = &smack_known_floor; 537 sbsp->smk_default = &smack_known_floor; 538 sbsp->smk_floor = &smack_known_floor; 539 sbsp->smk_hat = &smack_known_hat; 540 /* 541 * SMK_SB_INITIALIZED will be zero from kzalloc. 542 */ 543 544 return 0; 545 } 546 547 struct smack_mnt_opts { 548 const char *fsdefault; 549 const char *fsfloor; 550 const char *fshat; 551 const char *fsroot; 552 const char *fstransmute; 553 }; 554 555 static void smack_free_mnt_opts(void *mnt_opts) 556 { 557 kfree(mnt_opts); 558 } 559 560 static int smack_add_opt(int token, const char *s, void **mnt_opts) 561 { 562 struct smack_mnt_opts *opts = *mnt_opts; 563 struct smack_known *skp; 564 565 if (!opts) { 566 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 567 if (!opts) 568 return -ENOMEM; 569 *mnt_opts = opts; 570 } 571 if (!s) 572 return -ENOMEM; 573 574 skp = smk_import_entry(s, 0); 575 if (IS_ERR(skp)) 576 return PTR_ERR(skp); 577 578 switch (token) { 579 case Opt_fsdefault: 580 if (opts->fsdefault) 581 goto out_opt_err; 582 opts->fsdefault = skp->smk_known; 583 break; 584 case Opt_fsfloor: 585 if (opts->fsfloor) 586 goto out_opt_err; 587 opts->fsfloor = skp->smk_known; 588 break; 589 case Opt_fshat: 590 if (opts->fshat) 591 goto out_opt_err; 592 opts->fshat = skp->smk_known; 593 break; 594 case Opt_fsroot: 595 if (opts->fsroot) 596 goto out_opt_err; 597 opts->fsroot = skp->smk_known; 598 break; 599 case Opt_fstransmute: 600 if (opts->fstransmute) 601 goto out_opt_err; 602 opts->fstransmute = skp->smk_known; 603 break; 604 } 605 return 0; 606 607 out_opt_err: 608 pr_warn("Smack: duplicate mount options\n"); 609 return -EINVAL; 610 } 611 612 /** 613 * smack_fs_context_submount - Initialise security data for a filesystem context 614 * @fc: The filesystem context. 615 * @reference: reference superblock 616 * 617 * Returns 0 on success or -ENOMEM on error. 618 */ 619 static int smack_fs_context_submount(struct fs_context *fc, 620 struct super_block *reference) 621 { 622 struct superblock_smack *sbsp; 623 struct smack_mnt_opts *ctx; 624 struct inode_smack *isp; 625 626 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 627 if (!ctx) 628 return -ENOMEM; 629 fc->security = ctx; 630 631 sbsp = smack_superblock(reference); 632 isp = smack_inode(reference->s_root->d_inode); 633 634 if (sbsp->smk_default) { 635 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 636 if (!ctx->fsdefault) 637 return -ENOMEM; 638 } 639 640 if (sbsp->smk_floor) { 641 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 642 if (!ctx->fsfloor) 643 return -ENOMEM; 644 } 645 646 if (sbsp->smk_hat) { 647 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 648 if (!ctx->fshat) 649 return -ENOMEM; 650 } 651 652 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 653 if (sbsp->smk_root) { 654 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 655 if (!ctx->fstransmute) 656 return -ENOMEM; 657 } 658 } 659 return 0; 660 } 661 662 /** 663 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 664 * @fc: The new filesystem context. 665 * @src_fc: The source filesystem context being duplicated. 666 * 667 * Returns 0 on success or -ENOMEM on error. 668 */ 669 static int smack_fs_context_dup(struct fs_context *fc, 670 struct fs_context *src_fc) 671 { 672 struct smack_mnt_opts *dst, *src = src_fc->security; 673 674 if (!src) 675 return 0; 676 677 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 678 if (!fc->security) 679 return -ENOMEM; 680 681 dst = fc->security; 682 dst->fsdefault = src->fsdefault; 683 dst->fsfloor = src->fsfloor; 684 dst->fshat = src->fshat; 685 dst->fsroot = src->fsroot; 686 dst->fstransmute = src->fstransmute; 687 688 return 0; 689 } 690 691 static const struct fs_parameter_spec smack_fs_parameters[] = { 692 fsparam_string("smackfsdef", Opt_fsdefault), 693 fsparam_string("smackfsdefault", Opt_fsdefault), 694 fsparam_string("smackfsfloor", Opt_fsfloor), 695 fsparam_string("smackfshat", Opt_fshat), 696 fsparam_string("smackfsroot", Opt_fsroot), 697 fsparam_string("smackfstransmute", Opt_fstransmute), 698 {} 699 }; 700 701 /** 702 * smack_fs_context_parse_param - Parse a single mount parameter 703 * @fc: The new filesystem context being constructed. 704 * @param: The parameter. 705 * 706 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 707 * error. 708 */ 709 static int smack_fs_context_parse_param(struct fs_context *fc, 710 struct fs_parameter *param) 711 { 712 struct fs_parse_result result; 713 int opt, rc; 714 715 opt = fs_parse(fc, smack_fs_parameters, param, &result); 716 if (opt < 0) 717 return opt; 718 719 rc = smack_add_opt(opt, param->string, &fc->security); 720 if (!rc) 721 param->string = NULL; 722 return rc; 723 } 724 725 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 726 { 727 char *from = options, *to = options; 728 bool first = true; 729 730 while (1) { 731 char *next = strchr(from, ','); 732 int token, len, rc; 733 char *arg = NULL; 734 735 if (next) 736 len = next - from; 737 else 738 len = strlen(from); 739 740 token = match_opt_prefix(from, len, &arg); 741 if (token != Opt_error) { 742 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 743 rc = smack_add_opt(token, arg, mnt_opts); 744 kfree(arg); 745 if (unlikely(rc)) { 746 if (*mnt_opts) 747 smack_free_mnt_opts(*mnt_opts); 748 *mnt_opts = NULL; 749 return rc; 750 } 751 } else { 752 if (!first) { // copy with preceding comma 753 from--; 754 len++; 755 } 756 if (to != from) 757 memmove(to, from, len); 758 to += len; 759 first = false; 760 } 761 if (!from[len]) 762 break; 763 from += len + 1; 764 } 765 *to = '\0'; 766 return 0; 767 } 768 769 /** 770 * smack_set_mnt_opts - set Smack specific mount options 771 * @sb: the file system superblock 772 * @mnt_opts: Smack mount options 773 * @kern_flags: mount option from kernel space or user space 774 * @set_kern_flags: where to store converted mount opts 775 * 776 * Returns 0 on success, an error code on failure 777 * 778 * Allow filesystems with binary mount data to explicitly set Smack mount 779 * labels. 780 */ 781 static int smack_set_mnt_opts(struct super_block *sb, 782 void *mnt_opts, 783 unsigned long kern_flags, 784 unsigned long *set_kern_flags) 785 { 786 struct dentry *root = sb->s_root; 787 struct inode *inode = d_backing_inode(root); 788 struct superblock_smack *sp = smack_superblock(sb); 789 struct inode_smack *isp; 790 struct smack_known *skp; 791 struct smack_mnt_opts *opts = mnt_opts; 792 bool transmute = false; 793 794 if (sp->smk_flags & SMK_SB_INITIALIZED) 795 return 0; 796 797 if (!smack_privileged(CAP_MAC_ADMIN)) { 798 /* 799 * Unprivileged mounts don't get to specify Smack values. 800 */ 801 if (opts) 802 return -EPERM; 803 /* 804 * Unprivileged mounts get root and default from the caller. 805 */ 806 skp = smk_of_current(); 807 sp->smk_root = skp; 808 sp->smk_default = skp; 809 /* 810 * For a handful of fs types with no user-controlled 811 * backing store it's okay to trust security labels 812 * in the filesystem. The rest are untrusted. 813 */ 814 if (sb->s_user_ns != &init_user_ns && 815 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 816 sb->s_magic != RAMFS_MAGIC) { 817 transmute = true; 818 sp->smk_flags |= SMK_SB_UNTRUSTED; 819 } 820 } 821 822 sp->smk_flags |= SMK_SB_INITIALIZED; 823 824 if (opts) { 825 if (opts->fsdefault) { 826 skp = smk_import_entry(opts->fsdefault, 0); 827 if (IS_ERR(skp)) 828 return PTR_ERR(skp); 829 sp->smk_default = skp; 830 } 831 if (opts->fsfloor) { 832 skp = smk_import_entry(opts->fsfloor, 0); 833 if (IS_ERR(skp)) 834 return PTR_ERR(skp); 835 sp->smk_floor = skp; 836 } 837 if (opts->fshat) { 838 skp = smk_import_entry(opts->fshat, 0); 839 if (IS_ERR(skp)) 840 return PTR_ERR(skp); 841 sp->smk_hat = skp; 842 } 843 if (opts->fsroot) { 844 skp = smk_import_entry(opts->fsroot, 0); 845 if (IS_ERR(skp)) 846 return PTR_ERR(skp); 847 sp->smk_root = skp; 848 } 849 if (opts->fstransmute) { 850 skp = smk_import_entry(opts->fstransmute, 0); 851 if (IS_ERR(skp)) 852 return PTR_ERR(skp); 853 sp->smk_root = skp; 854 transmute = true; 855 } 856 } 857 858 /* 859 * Initialize the root inode. 860 */ 861 init_inode_smack(inode, sp->smk_root); 862 863 if (transmute) { 864 isp = smack_inode(inode); 865 isp->smk_flags |= SMK_INODE_TRANSMUTE; 866 } 867 868 return 0; 869 } 870 871 /** 872 * smack_sb_statfs - Smack check on statfs 873 * @dentry: identifies the file system in question 874 * 875 * Returns 0 if current can read the floor of the filesystem, 876 * and error code otherwise 877 */ 878 static int smack_sb_statfs(struct dentry *dentry) 879 { 880 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 881 int rc; 882 struct smk_audit_info ad; 883 884 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 885 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 886 887 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 888 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 889 return rc; 890 } 891 892 /* 893 * BPRM hooks 894 */ 895 896 /** 897 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 898 * @bprm: the exec information 899 * 900 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 901 */ 902 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 903 { 904 struct inode *inode = file_inode(bprm->file); 905 struct task_smack *bsp = smack_cred(bprm->cred); 906 struct inode_smack *isp; 907 struct superblock_smack *sbsp; 908 int rc; 909 910 isp = smack_inode(inode); 911 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 912 return 0; 913 914 sbsp = smack_superblock(inode->i_sb); 915 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 916 isp->smk_task != sbsp->smk_root) 917 return 0; 918 919 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 920 struct task_struct *tracer; 921 rc = 0; 922 923 rcu_read_lock(); 924 tracer = ptrace_parent(current); 925 if (likely(tracer != NULL)) 926 rc = smk_ptrace_rule_check(tracer, 927 isp->smk_task, 928 PTRACE_MODE_ATTACH, 929 __func__); 930 rcu_read_unlock(); 931 932 if (rc != 0) 933 return rc; 934 } 935 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 936 return -EPERM; 937 938 bsp->smk_task = isp->smk_task; 939 bprm->per_clear |= PER_CLEAR_ON_SETID; 940 941 /* Decide if this is a secure exec. */ 942 if (bsp->smk_task != bsp->smk_forked) 943 bprm->secureexec = 1; 944 945 return 0; 946 } 947 948 /* 949 * Inode hooks 950 */ 951 952 /** 953 * smack_inode_alloc_security - allocate an inode blob 954 * @inode: the inode in need of a blob 955 * 956 * Returns 0 957 */ 958 static int smack_inode_alloc_security(struct inode *inode) 959 { 960 struct smack_known *skp = smk_of_current(); 961 962 init_inode_smack(inode, skp); 963 return 0; 964 } 965 966 /** 967 * smack_inode_init_security - copy out the smack from an inode 968 * @inode: the newly created inode 969 * @dir: containing directory object 970 * @qstr: unused 971 * @xattrs: where to put the attributes 972 * @xattr_count: current number of LSM-provided xattrs (updated) 973 * 974 * Returns 0 if it all works out, -ENOMEM if there's no memory 975 */ 976 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 977 const struct qstr *qstr, 978 struct xattr *xattrs, int *xattr_count) 979 { 980 struct task_smack *tsp = smack_cred(current_cred()); 981 struct inode_smack *issp = smack_inode(inode); 982 struct smack_known *skp = smk_of_task(tsp); 983 struct smack_known *isp = smk_of_inode(inode); 984 struct smack_known *dsp = smk_of_inode(dir); 985 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 986 int may; 987 988 /* 989 * If equal, transmuting already occurred in 990 * smack_dentry_create_files_as(). No need to check again. 991 */ 992 if (tsp->smk_task != tsp->smk_transmuted) { 993 rcu_read_lock(); 994 may = smk_access_entry(skp->smk_known, dsp->smk_known, 995 &skp->smk_rules); 996 rcu_read_unlock(); 997 } 998 999 /* 1000 * In addition to having smk_task equal to smk_transmuted, 1001 * if the access rule allows transmutation and the directory 1002 * requests transmutation then by all means transmute. 1003 * Mark the inode as changed. 1004 */ 1005 if ((tsp->smk_task == tsp->smk_transmuted) || 1006 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1007 smk_inode_transmutable(dir))) { 1008 struct xattr *xattr_transmute; 1009 1010 /* 1011 * The caller of smack_dentry_create_files_as() 1012 * should have overridden the current cred, so the 1013 * inode label was already set correctly in 1014 * smack_inode_alloc_security(). 1015 */ 1016 if (tsp->smk_task != tsp->smk_transmuted) 1017 isp = issp->smk_inode = dsp; 1018 1019 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1020 xattr_transmute = lsm_get_xattr_slot(xattrs, 1021 xattr_count); 1022 if (xattr_transmute) { 1023 xattr_transmute->value = kmemdup(TRANS_TRUE, 1024 TRANS_TRUE_SIZE, 1025 GFP_NOFS); 1026 if (!xattr_transmute->value) 1027 return -ENOMEM; 1028 1029 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1030 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1031 } 1032 } 1033 1034 issp->smk_flags |= SMK_INODE_INSTANT; 1035 1036 if (xattr) { 1037 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1038 if (!xattr->value) 1039 return -ENOMEM; 1040 1041 xattr->value_len = strlen(isp->smk_known); 1042 xattr->name = XATTR_SMACK_SUFFIX; 1043 } 1044 1045 return 0; 1046 } 1047 1048 /** 1049 * smack_inode_link - Smack check on link 1050 * @old_dentry: the existing object 1051 * @dir: unused 1052 * @new_dentry: the new object 1053 * 1054 * Returns 0 if access is permitted, an error code otherwise 1055 */ 1056 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1057 struct dentry *new_dentry) 1058 { 1059 struct smack_known *isp; 1060 struct smk_audit_info ad; 1061 int rc; 1062 1063 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1064 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1065 1066 isp = smk_of_inode(d_backing_inode(old_dentry)); 1067 rc = smk_curacc(isp, MAY_WRITE, &ad); 1068 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1069 1070 if (rc == 0 && d_is_positive(new_dentry)) { 1071 isp = smk_of_inode(d_backing_inode(new_dentry)); 1072 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1073 rc = smk_curacc(isp, MAY_WRITE, &ad); 1074 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1075 } 1076 1077 return rc; 1078 } 1079 1080 /** 1081 * smack_inode_unlink - Smack check on inode deletion 1082 * @dir: containing directory object 1083 * @dentry: file to unlink 1084 * 1085 * Returns 0 if current can write the containing directory 1086 * and the object, error code otherwise 1087 */ 1088 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1089 { 1090 struct inode *ip = d_backing_inode(dentry); 1091 struct smk_audit_info ad; 1092 int rc; 1093 1094 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1095 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1096 1097 /* 1098 * You need write access to the thing you're unlinking 1099 */ 1100 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1101 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1102 if (rc == 0) { 1103 /* 1104 * You also need write access to the containing directory 1105 */ 1106 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1107 smk_ad_setfield_u_fs_inode(&ad, dir); 1108 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1109 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1110 } 1111 return rc; 1112 } 1113 1114 /** 1115 * smack_inode_rmdir - Smack check on directory deletion 1116 * @dir: containing directory object 1117 * @dentry: directory to unlink 1118 * 1119 * Returns 0 if current can write the containing directory 1120 * and the directory, error code otherwise 1121 */ 1122 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1123 { 1124 struct smk_audit_info ad; 1125 int rc; 1126 1127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1128 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1129 1130 /* 1131 * You need write access to the thing you're removing 1132 */ 1133 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1134 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1135 if (rc == 0) { 1136 /* 1137 * You also need write access to the containing directory 1138 */ 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1140 smk_ad_setfield_u_fs_inode(&ad, dir); 1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1143 } 1144 1145 return rc; 1146 } 1147 1148 /** 1149 * smack_inode_rename - Smack check on rename 1150 * @old_inode: unused 1151 * @old_dentry: the old object 1152 * @new_inode: unused 1153 * @new_dentry: the new object 1154 * 1155 * Read and write access is required on both the old and 1156 * new directories. 1157 * 1158 * Returns 0 if access is permitted, an error code otherwise 1159 */ 1160 static int smack_inode_rename(struct inode *old_inode, 1161 struct dentry *old_dentry, 1162 struct inode *new_inode, 1163 struct dentry *new_dentry) 1164 { 1165 int rc; 1166 struct smack_known *isp; 1167 struct smk_audit_info ad; 1168 1169 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1170 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1171 1172 isp = smk_of_inode(d_backing_inode(old_dentry)); 1173 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1174 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1175 1176 if (rc == 0 && d_is_positive(new_dentry)) { 1177 isp = smk_of_inode(d_backing_inode(new_dentry)); 1178 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1179 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1180 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1181 } 1182 return rc; 1183 } 1184 1185 /** 1186 * smack_inode_permission - Smack version of permission() 1187 * @inode: the inode in question 1188 * @mask: the access requested 1189 * 1190 * This is the important Smack hook. 1191 * 1192 * Returns 0 if access is permitted, an error code otherwise 1193 */ 1194 static int smack_inode_permission(struct inode *inode, int mask) 1195 { 1196 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1197 struct smk_audit_info ad; 1198 int no_block = mask & MAY_NOT_BLOCK; 1199 int rc; 1200 1201 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1202 /* 1203 * No permission to check. Existence test. Yup, it's there. 1204 */ 1205 if (mask == 0) 1206 return 0; 1207 1208 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1209 if (smk_of_inode(inode) != sbsp->smk_root) 1210 return -EACCES; 1211 } 1212 1213 /* May be droppable after audit */ 1214 if (no_block) 1215 return -ECHILD; 1216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1217 smk_ad_setfield_u_fs_inode(&ad, inode); 1218 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1219 rc = smk_bu_inode(inode, mask, rc); 1220 return rc; 1221 } 1222 1223 /** 1224 * smack_inode_setattr - Smack check for setting attributes 1225 * @idmap: idmap of the mount 1226 * @dentry: the object 1227 * @iattr: for the force flag 1228 * 1229 * Returns 0 if access is permitted, an error code otherwise 1230 */ 1231 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1232 struct iattr *iattr) 1233 { 1234 struct smk_audit_info ad; 1235 int rc; 1236 1237 /* 1238 * Need to allow for clearing the setuid bit. 1239 */ 1240 if (iattr->ia_valid & ATTR_FORCE) 1241 return 0; 1242 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1243 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1244 1245 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1246 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1247 return rc; 1248 } 1249 1250 /** 1251 * smack_inode_getattr - Smack check for getting attributes 1252 * @path: path to extract the info from 1253 * 1254 * Returns 0 if access is permitted, an error code otherwise 1255 */ 1256 static int smack_inode_getattr(const struct path *path) 1257 { 1258 struct smk_audit_info ad; 1259 struct inode *inode = d_backing_inode(path->dentry); 1260 int rc; 1261 1262 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1263 smk_ad_setfield_u_fs_path(&ad, *path); 1264 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1265 rc = smk_bu_inode(inode, MAY_READ, rc); 1266 return rc; 1267 } 1268 1269 /** 1270 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1271 * @name: name of the xattr 1272 * 1273 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1274 * named @name; the LSM layer should avoid enforcing any traditional 1275 * capability based access controls on this xattr. Returns 0 to indicate that 1276 * Smack does not "own" the access control rights to xattrs named @name and is 1277 * deferring to the LSM layer for further access controls, including capability 1278 * based controls. 1279 */ 1280 static int smack_inode_xattr_skipcap(const char *name) 1281 { 1282 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1283 return 0; 1284 1285 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1286 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1287 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1288 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1289 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1290 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1291 return 1; 1292 1293 return 0; 1294 } 1295 1296 /** 1297 * smack_inode_setxattr - Smack check for setting xattrs 1298 * @idmap: idmap of the mount 1299 * @dentry: the object 1300 * @name: name of the attribute 1301 * @value: value of the attribute 1302 * @size: size of the value 1303 * @flags: unused 1304 * 1305 * This protects the Smack attribute explicitly. 1306 * 1307 * Returns 0 if access is permitted, an error code otherwise 1308 */ 1309 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1310 struct dentry *dentry, const char *name, 1311 const void *value, size_t size, int flags) 1312 { 1313 struct smk_audit_info ad; 1314 struct smack_known *skp; 1315 int check_priv = 0; 1316 int check_import = 0; 1317 int check_star = 0; 1318 int rc = 0; 1319 1320 /* 1321 * Check label validity here so import won't fail in post_setxattr 1322 */ 1323 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1324 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1325 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1326 check_priv = 1; 1327 check_import = 1; 1328 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1329 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1330 check_priv = 1; 1331 check_import = 1; 1332 check_star = 1; 1333 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1334 check_priv = 1; 1335 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1336 size != TRANS_TRUE_SIZE || 1337 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1338 rc = -EINVAL; 1339 } 1340 1341 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1342 rc = -EPERM; 1343 1344 if (rc == 0 && check_import) { 1345 skp = size ? smk_import_entry(value, size) : NULL; 1346 if (IS_ERR(skp)) 1347 rc = PTR_ERR(skp); 1348 else if (skp == NULL || (check_star && 1349 (skp == &smack_known_star || skp == &smack_known_web))) 1350 rc = -EINVAL; 1351 } 1352 1353 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1354 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1355 1356 if (rc == 0) { 1357 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1358 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1359 } 1360 1361 return rc; 1362 } 1363 1364 /** 1365 * smack_inode_post_setxattr - Apply the Smack update approved above 1366 * @dentry: object 1367 * @name: attribute name 1368 * @value: attribute value 1369 * @size: attribute size 1370 * @flags: unused 1371 * 1372 * Set the pointer in the inode blob to the entry found 1373 * in the master label list. 1374 */ 1375 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1376 const void *value, size_t size, int flags) 1377 { 1378 struct smack_known *skp; 1379 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1380 1381 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1382 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1383 return; 1384 } 1385 1386 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1387 skp = smk_import_entry(value, size); 1388 if (!IS_ERR(skp)) 1389 isp->smk_inode = skp; 1390 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1391 skp = smk_import_entry(value, size); 1392 if (!IS_ERR(skp)) 1393 isp->smk_task = skp; 1394 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1395 skp = smk_import_entry(value, size); 1396 if (!IS_ERR(skp)) 1397 isp->smk_mmap = skp; 1398 } 1399 1400 return; 1401 } 1402 1403 /** 1404 * smack_inode_getxattr - Smack check on getxattr 1405 * @dentry: the object 1406 * @name: unused 1407 * 1408 * Returns 0 if access is permitted, an error code otherwise 1409 */ 1410 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1411 { 1412 struct smk_audit_info ad; 1413 int rc; 1414 1415 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1416 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1417 1418 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1419 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1420 return rc; 1421 } 1422 1423 /** 1424 * smack_inode_removexattr - Smack check on removexattr 1425 * @idmap: idmap of the mount 1426 * @dentry: the object 1427 * @name: name of the attribute 1428 * 1429 * Removing the Smack attribute requires CAP_MAC_ADMIN 1430 * 1431 * Returns 0 if access is permitted, an error code otherwise 1432 */ 1433 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1434 struct dentry *dentry, const char *name) 1435 { 1436 struct inode_smack *isp; 1437 struct smk_audit_info ad; 1438 int rc = 0; 1439 1440 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1441 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1442 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1443 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1444 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1445 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1446 if (!smack_privileged(CAP_MAC_ADMIN)) 1447 rc = -EPERM; 1448 } 1449 1450 if (rc != 0) 1451 return rc; 1452 1453 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1454 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1455 1456 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1457 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1458 if (rc != 0) 1459 return rc; 1460 1461 isp = smack_inode(d_backing_inode(dentry)); 1462 /* 1463 * Don't do anything special for these. 1464 * XATTR_NAME_SMACKIPIN 1465 * XATTR_NAME_SMACKIPOUT 1466 */ 1467 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1468 struct super_block *sbp = dentry->d_sb; 1469 struct superblock_smack *sbsp = smack_superblock(sbp); 1470 1471 isp->smk_inode = sbsp->smk_default; 1472 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1473 isp->smk_task = NULL; 1474 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1475 isp->smk_mmap = NULL; 1476 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1477 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1478 1479 return 0; 1480 } 1481 1482 /** 1483 * smack_inode_set_acl - Smack check for setting posix acls 1484 * @idmap: idmap of the mnt this request came from 1485 * @dentry: the object 1486 * @acl_name: name of the posix acl 1487 * @kacl: the posix acls 1488 * 1489 * Returns 0 if access is permitted, an error code otherwise 1490 */ 1491 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1492 struct dentry *dentry, const char *acl_name, 1493 struct posix_acl *kacl) 1494 { 1495 struct smk_audit_info ad; 1496 int rc; 1497 1498 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1499 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1500 1501 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1502 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1503 return rc; 1504 } 1505 1506 /** 1507 * smack_inode_get_acl - Smack check for getting posix acls 1508 * @idmap: idmap of the mnt this request came from 1509 * @dentry: the object 1510 * @acl_name: name of the posix acl 1511 * 1512 * Returns 0 if access is permitted, an error code otherwise 1513 */ 1514 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1515 struct dentry *dentry, const char *acl_name) 1516 { 1517 struct smk_audit_info ad; 1518 int rc; 1519 1520 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1521 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1522 1523 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1524 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1525 return rc; 1526 } 1527 1528 /** 1529 * smack_inode_remove_acl - Smack check for getting posix acls 1530 * @idmap: idmap of the mnt this request came from 1531 * @dentry: the object 1532 * @acl_name: name of the posix acl 1533 * 1534 * Returns 0 if access is permitted, an error code otherwise 1535 */ 1536 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1537 struct dentry *dentry, const char *acl_name) 1538 { 1539 struct smk_audit_info ad; 1540 int rc; 1541 1542 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1543 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1544 1545 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1546 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1547 return rc; 1548 } 1549 1550 /** 1551 * smack_inode_getsecurity - get smack xattrs 1552 * @idmap: idmap of the mount 1553 * @inode: the object 1554 * @name: attribute name 1555 * @buffer: where to put the result 1556 * @alloc: duplicate memory 1557 * 1558 * Returns the size of the attribute or an error code 1559 */ 1560 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1561 struct inode *inode, const char *name, 1562 void **buffer, bool alloc) 1563 { 1564 struct socket_smack *ssp; 1565 struct socket *sock; 1566 struct super_block *sbp; 1567 struct inode *ip = inode; 1568 struct smack_known *isp; 1569 struct inode_smack *ispp; 1570 size_t label_len; 1571 char *label = NULL; 1572 1573 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1574 isp = smk_of_inode(inode); 1575 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1576 ispp = smack_inode(inode); 1577 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1578 label = TRANS_TRUE; 1579 else 1580 label = ""; 1581 } else { 1582 /* 1583 * The rest of the Smack xattrs are only on sockets. 1584 */ 1585 sbp = ip->i_sb; 1586 if (sbp->s_magic != SOCKFS_MAGIC) 1587 return -EOPNOTSUPP; 1588 1589 sock = SOCKET_I(ip); 1590 if (sock == NULL || sock->sk == NULL) 1591 return -EOPNOTSUPP; 1592 1593 ssp = smack_sock(sock->sk); 1594 1595 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1596 isp = ssp->smk_in; 1597 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1598 isp = ssp->smk_out; 1599 else 1600 return -EOPNOTSUPP; 1601 } 1602 1603 if (!label) 1604 label = isp->smk_known; 1605 1606 label_len = strlen(label); 1607 1608 if (alloc) { 1609 *buffer = kstrdup(label, GFP_KERNEL); 1610 if (*buffer == NULL) 1611 return -ENOMEM; 1612 } 1613 1614 return label_len; 1615 } 1616 1617 1618 /** 1619 * smack_inode_listsecurity - list the Smack attributes 1620 * @inode: the object 1621 * @buffer: where they go 1622 * @buffer_size: size of buffer 1623 */ 1624 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1625 size_t buffer_size) 1626 { 1627 int len = sizeof(XATTR_NAME_SMACK); 1628 1629 if (buffer != NULL && len <= buffer_size) 1630 memcpy(buffer, XATTR_NAME_SMACK, len); 1631 1632 return len; 1633 } 1634 1635 /** 1636 * smack_inode_getlsmprop - Extract inode's security id 1637 * @inode: inode to extract the info from 1638 * @prop: where result will be saved 1639 */ 1640 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1641 { 1642 prop->smack.skp = smk_of_inode(inode); 1643 } 1644 1645 /* 1646 * File Hooks 1647 */ 1648 1649 /* 1650 * There is no smack_file_permission hook 1651 * 1652 * Should access checks be done on each read or write? 1653 * UNICOS and SELinux say yes. 1654 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1655 * 1656 * I'll say no for now. Smack does not do the frequent 1657 * label changing that SELinux does. 1658 */ 1659 1660 /** 1661 * smack_file_alloc_security - assign a file security blob 1662 * @file: the object 1663 * 1664 * The security blob for a file is a pointer to the master 1665 * label list, so no allocation is done. 1666 * 1667 * f_security is the owner security information. It 1668 * isn't used on file access checks, it's for send_sigio. 1669 * 1670 * Returns 0 1671 */ 1672 static int smack_file_alloc_security(struct file *file) 1673 { 1674 struct smack_known **blob = smack_file(file); 1675 1676 *blob = smk_of_current(); 1677 return 0; 1678 } 1679 1680 /** 1681 * smack_file_ioctl - Smack check on ioctls 1682 * @file: the object 1683 * @cmd: what to do 1684 * @arg: unused 1685 * 1686 * Relies heavily on the correct use of the ioctl command conventions. 1687 * 1688 * Returns 0 if allowed, error code otherwise 1689 */ 1690 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1691 unsigned long arg) 1692 { 1693 int rc = 0; 1694 struct smk_audit_info ad; 1695 struct inode *inode = file_inode(file); 1696 1697 if (unlikely(IS_PRIVATE(inode))) 1698 return 0; 1699 1700 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1701 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1702 1703 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1704 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1705 rc = smk_bu_file(file, MAY_WRITE, rc); 1706 } 1707 1708 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1709 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1710 rc = smk_bu_file(file, MAY_READ, rc); 1711 } 1712 1713 return rc; 1714 } 1715 1716 /** 1717 * smack_file_lock - Smack check on file locking 1718 * @file: the object 1719 * @cmd: unused 1720 * 1721 * Returns 0 if current has lock access, error code otherwise 1722 */ 1723 static int smack_file_lock(struct file *file, unsigned int cmd) 1724 { 1725 struct smk_audit_info ad; 1726 int rc; 1727 struct inode *inode = file_inode(file); 1728 1729 if (unlikely(IS_PRIVATE(inode))) 1730 return 0; 1731 1732 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1733 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1734 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1735 rc = smk_bu_file(file, MAY_LOCK, rc); 1736 return rc; 1737 } 1738 1739 /** 1740 * smack_file_fcntl - Smack check on fcntl 1741 * @file: the object 1742 * @cmd: what action to check 1743 * @arg: unused 1744 * 1745 * Generally these operations are harmless. 1746 * File locking operations present an obvious mechanism 1747 * for passing information, so they require write access. 1748 * 1749 * Returns 0 if current has access, error code otherwise 1750 */ 1751 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1752 unsigned long arg) 1753 { 1754 struct smk_audit_info ad; 1755 int rc = 0; 1756 struct inode *inode = file_inode(file); 1757 1758 if (unlikely(IS_PRIVATE(inode))) 1759 return 0; 1760 1761 switch (cmd) { 1762 case F_GETLK: 1763 break; 1764 case F_SETLK: 1765 case F_SETLKW: 1766 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1767 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1768 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1769 rc = smk_bu_file(file, MAY_LOCK, rc); 1770 break; 1771 case F_SETOWN: 1772 case F_SETSIG: 1773 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1774 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1775 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1776 rc = smk_bu_file(file, MAY_WRITE, rc); 1777 break; 1778 default: 1779 break; 1780 } 1781 1782 return rc; 1783 } 1784 1785 /** 1786 * smack_mmap_file - Check permissions for a mmap operation. 1787 * @file: contains the file structure for file to map (may be NULL). 1788 * @reqprot: contains the protection requested by the application. 1789 * @prot: contains the protection that will be applied by the kernel. 1790 * @flags: contains the operational flags. 1791 * 1792 * The @file may be NULL, e.g. if mapping anonymous memory. 1793 * 1794 * Return 0 if permission is granted. 1795 */ 1796 static int smack_mmap_file(struct file *file, 1797 unsigned long reqprot, unsigned long prot, 1798 unsigned long flags) 1799 { 1800 struct smack_known *skp; 1801 struct smack_known *mkp; 1802 struct smack_rule *srp; 1803 struct task_smack *tsp; 1804 struct smack_known *okp; 1805 struct inode_smack *isp; 1806 struct superblock_smack *sbsp; 1807 int may; 1808 int mmay; 1809 int tmay; 1810 int rc; 1811 1812 if (file == NULL) 1813 return 0; 1814 1815 if (unlikely(IS_PRIVATE(file_inode(file)))) 1816 return 0; 1817 1818 isp = smack_inode(file_inode(file)); 1819 if (isp->smk_mmap == NULL) 1820 return 0; 1821 sbsp = smack_superblock(file_inode(file)->i_sb); 1822 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1823 isp->smk_mmap != sbsp->smk_root) 1824 return -EACCES; 1825 mkp = isp->smk_mmap; 1826 1827 tsp = smack_cred(current_cred()); 1828 skp = smk_of_current(); 1829 rc = 0; 1830 1831 rcu_read_lock(); 1832 /* 1833 * For each Smack rule associated with the subject 1834 * label verify that the SMACK64MMAP also has access 1835 * to that rule's object label. 1836 */ 1837 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1838 okp = srp->smk_object; 1839 /* 1840 * Matching labels always allows access. 1841 */ 1842 if (mkp->smk_known == okp->smk_known) 1843 continue; 1844 /* 1845 * If there is a matching local rule take 1846 * that into account as well. 1847 */ 1848 may = smk_access_entry(srp->smk_subject->smk_known, 1849 okp->smk_known, 1850 &tsp->smk_rules); 1851 if (may == -ENOENT) 1852 may = srp->smk_access; 1853 else 1854 may &= srp->smk_access; 1855 /* 1856 * If may is zero the SMACK64MMAP subject can't 1857 * possibly have less access. 1858 */ 1859 if (may == 0) 1860 continue; 1861 1862 /* 1863 * Fetch the global list entry. 1864 * If there isn't one a SMACK64MMAP subject 1865 * can't have as much access as current. 1866 */ 1867 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1868 &mkp->smk_rules); 1869 if (mmay == -ENOENT) { 1870 rc = -EACCES; 1871 break; 1872 } 1873 /* 1874 * If there is a local entry it modifies the 1875 * potential access, too. 1876 */ 1877 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1878 &tsp->smk_rules); 1879 if (tmay != -ENOENT) 1880 mmay &= tmay; 1881 1882 /* 1883 * If there is any access available to current that is 1884 * not available to a SMACK64MMAP subject 1885 * deny access. 1886 */ 1887 if ((may | mmay) != mmay) { 1888 rc = -EACCES; 1889 break; 1890 } 1891 } 1892 1893 rcu_read_unlock(); 1894 1895 return rc; 1896 } 1897 1898 /** 1899 * smack_file_set_fowner - set the file security blob value 1900 * @file: object in question 1901 * 1902 */ 1903 static void smack_file_set_fowner(struct file *file) 1904 { 1905 struct smack_known **blob = smack_file(file); 1906 1907 *blob = smk_of_current(); 1908 } 1909 1910 /** 1911 * smack_file_send_sigiotask - Smack on sigio 1912 * @tsk: The target task 1913 * @fown: the object the signal come from 1914 * @signum: unused 1915 * 1916 * Allow a privileged task to get signals even if it shouldn't 1917 * 1918 * Returns 0 if a subject with the object's smack could 1919 * write to the task, an error code otherwise. 1920 */ 1921 static int smack_file_send_sigiotask(struct task_struct *tsk, 1922 struct fown_struct *fown, int signum) 1923 { 1924 struct smack_known **blob; 1925 struct smack_known *skp; 1926 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1927 const struct cred *tcred; 1928 struct file *file; 1929 int rc; 1930 struct smk_audit_info ad; 1931 1932 /* 1933 * struct fown_struct is never outside the context of a struct file 1934 */ 1935 file = fown->file; 1936 1937 /* we don't log here as rc can be overriden */ 1938 blob = smack_file(file); 1939 skp = *blob; 1940 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1941 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1942 1943 rcu_read_lock(); 1944 tcred = __task_cred(tsk); 1945 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1946 rc = 0; 1947 rcu_read_unlock(); 1948 1949 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1950 smk_ad_setfield_u_tsk(&ad, tsk); 1951 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1952 return rc; 1953 } 1954 1955 /** 1956 * smack_file_receive - Smack file receive check 1957 * @file: the object 1958 * 1959 * Returns 0 if current has access, error code otherwise 1960 */ 1961 static int smack_file_receive(struct file *file) 1962 { 1963 int rc; 1964 int may = 0; 1965 struct smk_audit_info ad; 1966 struct inode *inode = file_inode(file); 1967 struct socket *sock; 1968 struct task_smack *tsp; 1969 struct socket_smack *ssp; 1970 1971 if (unlikely(IS_PRIVATE(inode))) 1972 return 0; 1973 1974 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1975 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1976 1977 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1978 sock = SOCKET_I(inode); 1979 ssp = smack_sock(sock->sk); 1980 tsp = smack_cred(current_cred()); 1981 /* 1982 * If the receiving process can't write to the 1983 * passed socket or if the passed socket can't 1984 * write to the receiving process don't accept 1985 * the passed socket. 1986 */ 1987 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1988 rc = smk_bu_file(file, may, rc); 1989 if (rc < 0) 1990 return rc; 1991 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1992 rc = smk_bu_file(file, may, rc); 1993 return rc; 1994 } 1995 /* 1996 * This code relies on bitmasks. 1997 */ 1998 if (file->f_mode & FMODE_READ) 1999 may = MAY_READ; 2000 if (file->f_mode & FMODE_WRITE) 2001 may |= MAY_WRITE; 2002 2003 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2004 rc = smk_bu_file(file, may, rc); 2005 return rc; 2006 } 2007 2008 /** 2009 * smack_file_open - Smack dentry open processing 2010 * @file: the object 2011 * 2012 * Set the security blob in the file structure. 2013 * Allow the open only if the task has read access. There are 2014 * many read operations (e.g. fstat) that you can do with an 2015 * fd even if you have the file open write-only. 2016 * 2017 * Returns 0 if current has access, error code otherwise 2018 */ 2019 static int smack_file_open(struct file *file) 2020 { 2021 struct task_smack *tsp = smack_cred(file->f_cred); 2022 struct inode *inode = file_inode(file); 2023 struct smk_audit_info ad; 2024 int rc; 2025 2026 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2027 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2028 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2029 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2030 2031 return rc; 2032 } 2033 2034 /* 2035 * Task hooks 2036 */ 2037 2038 /** 2039 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2040 * @cred: the new credentials 2041 * @gfp: the atomicity of any memory allocations 2042 * 2043 * Prepare a blank set of credentials for modification. This must allocate all 2044 * the memory the LSM module might require such that cred_transfer() can 2045 * complete without error. 2046 */ 2047 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2048 { 2049 init_task_smack(smack_cred(cred), NULL, NULL); 2050 return 0; 2051 } 2052 2053 2054 /** 2055 * smack_cred_free - "free" task-level security credentials 2056 * @cred: the credentials in question 2057 * 2058 */ 2059 static void smack_cred_free(struct cred *cred) 2060 { 2061 struct task_smack *tsp = smack_cred(cred); 2062 struct smack_rule *rp; 2063 struct list_head *l; 2064 struct list_head *n; 2065 2066 smk_destroy_label_list(&tsp->smk_relabel); 2067 2068 list_for_each_safe(l, n, &tsp->smk_rules) { 2069 rp = list_entry(l, struct smack_rule, list); 2070 list_del(&rp->list); 2071 kmem_cache_free(smack_rule_cache, rp); 2072 } 2073 } 2074 2075 /** 2076 * smack_cred_prepare - prepare new set of credentials for modification 2077 * @new: the new credentials 2078 * @old: the original credentials 2079 * @gfp: the atomicity of any memory allocations 2080 * 2081 * Prepare a new set of credentials for modification. 2082 */ 2083 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2084 gfp_t gfp) 2085 { 2086 struct task_smack *old_tsp = smack_cred(old); 2087 struct task_smack *new_tsp = smack_cred(new); 2088 int rc; 2089 2090 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2091 2092 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2093 if (rc != 0) 2094 return rc; 2095 2096 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2097 gfp); 2098 return rc; 2099 } 2100 2101 /** 2102 * smack_cred_transfer - Transfer the old credentials to the new credentials 2103 * @new: the new credentials 2104 * @old: the original credentials 2105 * 2106 * Fill in a set of blank credentials from another set of credentials. 2107 */ 2108 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2109 { 2110 struct task_smack *old_tsp = smack_cred(old); 2111 struct task_smack *new_tsp = smack_cred(new); 2112 2113 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2114 } 2115 2116 /** 2117 * smack_cred_getsecid - get the secid corresponding to a creds structure 2118 * @cred: the object creds 2119 * @secid: where to put the result 2120 * 2121 * Sets the secid to contain a u32 version of the smack label. 2122 */ 2123 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2124 { 2125 struct smack_known *skp; 2126 2127 rcu_read_lock(); 2128 skp = smk_of_task(smack_cred(cred)); 2129 *secid = skp->smk_secid; 2130 rcu_read_unlock(); 2131 } 2132 2133 /** 2134 * smack_cred_getlsmprop - get the Smack label for a creds structure 2135 * @cred: the object creds 2136 * @prop: where to put the data 2137 * 2138 * Sets the Smack part of the ref 2139 */ 2140 static void smack_cred_getlsmprop(const struct cred *cred, 2141 struct lsm_prop *prop) 2142 { 2143 rcu_read_lock(); 2144 prop->smack.skp = smk_of_task(smack_cred(cred)); 2145 rcu_read_unlock(); 2146 } 2147 2148 /** 2149 * smack_kernel_act_as - Set the subjective context in a set of credentials 2150 * @new: points to the set of credentials to be modified. 2151 * @secid: specifies the security ID to be set 2152 * 2153 * Set the security data for a kernel service. 2154 */ 2155 static int smack_kernel_act_as(struct cred *new, u32 secid) 2156 { 2157 struct task_smack *new_tsp = smack_cred(new); 2158 2159 new_tsp->smk_task = smack_from_secid(secid); 2160 return 0; 2161 } 2162 2163 /** 2164 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2165 * @new: points to the set of credentials to be modified 2166 * @inode: points to the inode to use as a reference 2167 * 2168 * Set the file creation context in a set of credentials to the same 2169 * as the objective context of the specified inode 2170 */ 2171 static int smack_kernel_create_files_as(struct cred *new, 2172 struct inode *inode) 2173 { 2174 struct inode_smack *isp = smack_inode(inode); 2175 struct task_smack *tsp = smack_cred(new); 2176 2177 tsp->smk_forked = isp->smk_inode; 2178 tsp->smk_task = tsp->smk_forked; 2179 return 0; 2180 } 2181 2182 /** 2183 * smk_curacc_on_task - helper to log task related access 2184 * @p: the task object 2185 * @access: the access requested 2186 * @caller: name of the calling function for audit 2187 * 2188 * Return 0 if access is permitted 2189 */ 2190 static int smk_curacc_on_task(struct task_struct *p, int access, 2191 const char *caller) 2192 { 2193 struct smk_audit_info ad; 2194 struct smack_known *skp = smk_of_task_struct_obj(p); 2195 int rc; 2196 2197 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2198 smk_ad_setfield_u_tsk(&ad, p); 2199 rc = smk_curacc(skp, access, &ad); 2200 rc = smk_bu_task(p, access, rc); 2201 return rc; 2202 } 2203 2204 /** 2205 * smack_task_setpgid - Smack check on setting pgid 2206 * @p: the task object 2207 * @pgid: unused 2208 * 2209 * Return 0 if write access is permitted 2210 */ 2211 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2212 { 2213 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2214 } 2215 2216 /** 2217 * smack_task_getpgid - Smack access check for getpgid 2218 * @p: the object task 2219 * 2220 * Returns 0 if current can read the object task, error code otherwise 2221 */ 2222 static int smack_task_getpgid(struct task_struct *p) 2223 { 2224 return smk_curacc_on_task(p, MAY_READ, __func__); 2225 } 2226 2227 /** 2228 * smack_task_getsid - Smack access check for getsid 2229 * @p: the object task 2230 * 2231 * Returns 0 if current can read the object task, error code otherwise 2232 */ 2233 static int smack_task_getsid(struct task_struct *p) 2234 { 2235 return smk_curacc_on_task(p, MAY_READ, __func__); 2236 } 2237 2238 /** 2239 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2240 * @prop: where to put the result 2241 * 2242 * Sets the secid to contain a u32 version of the task's subjective smack label. 2243 */ 2244 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2245 { 2246 prop->smack.skp = smk_of_current(); 2247 } 2248 2249 /** 2250 * smack_task_getlsmprop_obj - get the objective data of the task 2251 * @p: the task 2252 * @prop: where to put the result 2253 * 2254 * Sets the secid to contain a u32 version of the task's objective smack label. 2255 */ 2256 static void smack_task_getlsmprop_obj(struct task_struct *p, 2257 struct lsm_prop *prop) 2258 { 2259 prop->smack.skp = smk_of_task_struct_obj(p); 2260 } 2261 2262 /** 2263 * smack_task_setnice - Smack check on setting nice 2264 * @p: the task object 2265 * @nice: unused 2266 * 2267 * Return 0 if write access is permitted 2268 */ 2269 static int smack_task_setnice(struct task_struct *p, int nice) 2270 { 2271 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2272 } 2273 2274 /** 2275 * smack_task_setioprio - Smack check on setting ioprio 2276 * @p: the task object 2277 * @ioprio: unused 2278 * 2279 * Return 0 if write access is permitted 2280 */ 2281 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2282 { 2283 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2284 } 2285 2286 /** 2287 * smack_task_getioprio - Smack check on reading ioprio 2288 * @p: the task object 2289 * 2290 * Return 0 if read access is permitted 2291 */ 2292 static int smack_task_getioprio(struct task_struct *p) 2293 { 2294 return smk_curacc_on_task(p, MAY_READ, __func__); 2295 } 2296 2297 /** 2298 * smack_task_setscheduler - Smack check on setting scheduler 2299 * @p: the task object 2300 * 2301 * Return 0 if read access is permitted 2302 */ 2303 static int smack_task_setscheduler(struct task_struct *p) 2304 { 2305 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2306 } 2307 2308 /** 2309 * smack_task_getscheduler - Smack check on reading scheduler 2310 * @p: the task object 2311 * 2312 * Return 0 if read access is permitted 2313 */ 2314 static int smack_task_getscheduler(struct task_struct *p) 2315 { 2316 return smk_curacc_on_task(p, MAY_READ, __func__); 2317 } 2318 2319 /** 2320 * smack_task_movememory - Smack check on moving memory 2321 * @p: the task object 2322 * 2323 * Return 0 if write access is permitted 2324 */ 2325 static int smack_task_movememory(struct task_struct *p) 2326 { 2327 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2328 } 2329 2330 /** 2331 * smack_task_kill - Smack check on signal delivery 2332 * @p: the task object 2333 * @info: unused 2334 * @sig: unused 2335 * @cred: identifies the cred to use in lieu of current's 2336 * 2337 * Return 0 if write access is permitted 2338 * 2339 */ 2340 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2341 int sig, const struct cred *cred) 2342 { 2343 struct smk_audit_info ad; 2344 struct smack_known *skp; 2345 struct smack_known *tkp = smk_of_task_struct_obj(p); 2346 int rc; 2347 2348 if (!sig) 2349 return 0; /* null signal; existence test */ 2350 2351 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2352 smk_ad_setfield_u_tsk(&ad, p); 2353 /* 2354 * Sending a signal requires that the sender 2355 * can write the receiver. 2356 */ 2357 if (cred == NULL) { 2358 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2359 rc = smk_bu_task(p, MAY_DELIVER, rc); 2360 return rc; 2361 } 2362 /* 2363 * If the cred isn't NULL we're dealing with some USB IO 2364 * specific behavior. This is not clean. For one thing 2365 * we can't take privilege into account. 2366 */ 2367 skp = smk_of_task(smack_cred(cred)); 2368 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2369 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2370 return rc; 2371 } 2372 2373 /** 2374 * smack_task_to_inode - copy task smack into the inode blob 2375 * @p: task to copy from 2376 * @inode: inode to copy to 2377 * 2378 * Sets the smack pointer in the inode security blob 2379 */ 2380 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2381 { 2382 struct inode_smack *isp = smack_inode(inode); 2383 struct smack_known *skp = smk_of_task_struct_obj(p); 2384 2385 isp->smk_inode = skp; 2386 isp->smk_flags |= SMK_INODE_INSTANT; 2387 } 2388 2389 /* 2390 * Socket hooks. 2391 */ 2392 2393 /** 2394 * smack_sk_alloc_security - Allocate a socket blob 2395 * @sk: the socket 2396 * @family: unused 2397 * @gfp_flags: memory allocation flags 2398 * 2399 * Assign Smack pointers to current 2400 * 2401 * Returns 0 on success, -ENOMEM is there's no memory 2402 */ 2403 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2404 { 2405 struct smack_known *skp = smk_of_current(); 2406 struct socket_smack *ssp = smack_sock(sk); 2407 2408 /* 2409 * Sockets created by kernel threads receive web label. 2410 */ 2411 if (unlikely(current->flags & PF_KTHREAD)) { 2412 ssp->smk_in = &smack_known_web; 2413 ssp->smk_out = &smack_known_web; 2414 } else { 2415 ssp->smk_in = skp; 2416 ssp->smk_out = skp; 2417 } 2418 ssp->smk_packet = NULL; 2419 2420 return 0; 2421 } 2422 2423 #ifdef SMACK_IPV6_PORT_LABELING 2424 /** 2425 * smack_sk_free_security - Free a socket blob 2426 * @sk: the socket 2427 * 2428 * Clears the blob pointer 2429 */ 2430 static void smack_sk_free_security(struct sock *sk) 2431 { 2432 struct smk_port_label *spp; 2433 2434 if (sk->sk_family == PF_INET6) { 2435 rcu_read_lock(); 2436 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2437 if (spp->smk_sock != sk) 2438 continue; 2439 spp->smk_can_reuse = 1; 2440 break; 2441 } 2442 rcu_read_unlock(); 2443 } 2444 } 2445 #endif 2446 2447 /** 2448 * smack_sk_clone_security - Copy security context 2449 * @sk: the old socket 2450 * @newsk: the new socket 2451 * 2452 * Copy the security context of the old socket pointer to the cloned 2453 */ 2454 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2455 { 2456 struct socket_smack *ssp_old = smack_sock(sk); 2457 struct socket_smack *ssp_new = smack_sock(newsk); 2458 2459 *ssp_new = *ssp_old; 2460 } 2461 2462 /** 2463 * smack_ipv4host_label - check host based restrictions 2464 * @sip: the object end 2465 * 2466 * looks for host based access restrictions 2467 * 2468 * This version will only be appropriate for really small sets of single label 2469 * hosts. The caller is responsible for ensuring that the RCU read lock is 2470 * taken before calling this function. 2471 * 2472 * Returns the label of the far end or NULL if it's not special. 2473 */ 2474 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2475 { 2476 struct smk_net4addr *snp; 2477 struct in_addr *siap = &sip->sin_addr; 2478 2479 if (siap->s_addr == 0) 2480 return NULL; 2481 2482 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2483 /* 2484 * we break after finding the first match because 2485 * the list is sorted from longest to shortest mask 2486 * so we have found the most specific match 2487 */ 2488 if (snp->smk_host.s_addr == 2489 (siap->s_addr & snp->smk_mask.s_addr)) 2490 return snp->smk_label; 2491 2492 return NULL; 2493 } 2494 2495 /* 2496 * smk_ipv6_localhost - Check for local ipv6 host address 2497 * @sip: the address 2498 * 2499 * Returns boolean true if this is the localhost address 2500 */ 2501 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2502 { 2503 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2504 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2505 2506 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2507 ntohs(be16p[7]) == 1) 2508 return true; 2509 return false; 2510 } 2511 2512 /** 2513 * smack_ipv6host_label - check host based restrictions 2514 * @sip: the object end 2515 * 2516 * looks for host based access restrictions 2517 * 2518 * This version will only be appropriate for really small sets of single label 2519 * hosts. The caller is responsible for ensuring that the RCU read lock is 2520 * taken before calling this function. 2521 * 2522 * Returns the label of the far end or NULL if it's not special. 2523 */ 2524 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2525 { 2526 struct smk_net6addr *snp; 2527 struct in6_addr *sap = &sip->sin6_addr; 2528 int i; 2529 int found = 0; 2530 2531 /* 2532 * It's local. Don't look for a host label. 2533 */ 2534 if (smk_ipv6_localhost(sip)) 2535 return NULL; 2536 2537 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2538 /* 2539 * If the label is NULL the entry has 2540 * been renounced. Ignore it. 2541 */ 2542 if (snp->smk_label == NULL) 2543 continue; 2544 /* 2545 * we break after finding the first match because 2546 * the list is sorted from longest to shortest mask 2547 * so we have found the most specific match 2548 */ 2549 for (found = 1, i = 0; i < 8; i++) { 2550 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2551 snp->smk_host.s6_addr16[i]) { 2552 found = 0; 2553 break; 2554 } 2555 } 2556 if (found) 2557 return snp->smk_label; 2558 } 2559 2560 return NULL; 2561 } 2562 2563 /** 2564 * smack_netlbl_add - Set the secattr on a socket 2565 * @sk: the socket 2566 * 2567 * Attach the outbound smack value (smk_out) to the socket. 2568 * 2569 * Returns 0 on success or an error code 2570 */ 2571 static int smack_netlbl_add(struct sock *sk) 2572 { 2573 struct socket_smack *ssp = smack_sock(sk); 2574 struct smack_known *skp = ssp->smk_out; 2575 int rc; 2576 2577 local_bh_disable(); 2578 bh_lock_sock_nested(sk); 2579 2580 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2581 netlbl_sk_lock_check(sk)); 2582 switch (rc) { 2583 case 0: 2584 ssp->smk_state = SMK_NETLBL_LABELED; 2585 break; 2586 case -EDESTADDRREQ: 2587 ssp->smk_state = SMK_NETLBL_REQSKB; 2588 rc = 0; 2589 break; 2590 } 2591 2592 bh_unlock_sock(sk); 2593 local_bh_enable(); 2594 2595 return rc; 2596 } 2597 2598 /** 2599 * smack_netlbl_delete - Remove the secattr from a socket 2600 * @sk: the socket 2601 * 2602 * Remove the outbound smack value from a socket 2603 */ 2604 static void smack_netlbl_delete(struct sock *sk) 2605 { 2606 struct socket_smack *ssp = smack_sock(sk); 2607 2608 /* 2609 * Take the label off the socket if one is set. 2610 */ 2611 if (ssp->smk_state != SMK_NETLBL_LABELED) 2612 return; 2613 2614 local_bh_disable(); 2615 bh_lock_sock_nested(sk); 2616 netlbl_sock_delattr(sk); 2617 bh_unlock_sock(sk); 2618 local_bh_enable(); 2619 ssp->smk_state = SMK_NETLBL_UNLABELED; 2620 } 2621 2622 /** 2623 * smk_ipv4_check - Perform IPv4 host access checks 2624 * @sk: the socket 2625 * @sap: the destination address 2626 * 2627 * Set the correct secattr for the given socket based on the destination 2628 * address and perform any outbound access checks needed. 2629 * 2630 * Returns 0 on success or an error code. 2631 * 2632 */ 2633 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2634 { 2635 struct smack_known *skp; 2636 int rc = 0; 2637 struct smack_known *hkp; 2638 struct socket_smack *ssp = smack_sock(sk); 2639 struct smk_audit_info ad; 2640 2641 rcu_read_lock(); 2642 hkp = smack_ipv4host_label(sap); 2643 if (hkp != NULL) { 2644 #ifdef CONFIG_AUDIT 2645 struct lsm_network_audit net; 2646 2647 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2648 ad.a.u.net->family = sap->sin_family; 2649 ad.a.u.net->dport = sap->sin_port; 2650 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2651 #endif 2652 skp = ssp->smk_out; 2653 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2654 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2655 /* 2656 * Clear the socket netlabel if it's set. 2657 */ 2658 if (!rc) 2659 smack_netlbl_delete(sk); 2660 } 2661 rcu_read_unlock(); 2662 2663 return rc; 2664 } 2665 2666 /** 2667 * smk_ipv6_check - check Smack access 2668 * @subject: subject Smack label 2669 * @object: object Smack label 2670 * @address: address 2671 * @act: the action being taken 2672 * 2673 * Check an IPv6 access 2674 */ 2675 static int smk_ipv6_check(struct smack_known *subject, 2676 struct smack_known *object, 2677 struct sockaddr_in6 *address, int act) 2678 { 2679 #ifdef CONFIG_AUDIT 2680 struct lsm_network_audit net; 2681 #endif 2682 struct smk_audit_info ad; 2683 int rc; 2684 2685 #ifdef CONFIG_AUDIT 2686 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2687 ad.a.u.net->family = PF_INET6; 2688 ad.a.u.net->dport = address->sin6_port; 2689 if (act == SMK_RECEIVING) 2690 ad.a.u.net->v6info.saddr = address->sin6_addr; 2691 else 2692 ad.a.u.net->v6info.daddr = address->sin6_addr; 2693 #endif 2694 rc = smk_access(subject, object, MAY_WRITE, &ad); 2695 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2696 return rc; 2697 } 2698 2699 #ifdef SMACK_IPV6_PORT_LABELING 2700 /** 2701 * smk_ipv6_port_label - Smack port access table management 2702 * @sock: socket 2703 * @address: address 2704 * 2705 * Create or update the port list entry 2706 */ 2707 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2708 { 2709 struct sock *sk = sock->sk; 2710 struct sockaddr_in6 *addr6; 2711 struct socket_smack *ssp = smack_sock(sock->sk); 2712 struct smk_port_label *spp; 2713 unsigned short port = 0; 2714 2715 if (address == NULL) { 2716 /* 2717 * This operation is changing the Smack information 2718 * on the bound socket. Take the changes to the port 2719 * as well. 2720 */ 2721 rcu_read_lock(); 2722 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2723 if (sk != spp->smk_sock) 2724 continue; 2725 spp->smk_in = ssp->smk_in; 2726 spp->smk_out = ssp->smk_out; 2727 rcu_read_unlock(); 2728 return; 2729 } 2730 /* 2731 * A NULL address is only used for updating existing 2732 * bound entries. If there isn't one, it's OK. 2733 */ 2734 rcu_read_unlock(); 2735 return; 2736 } 2737 2738 addr6 = (struct sockaddr_in6 *)address; 2739 port = ntohs(addr6->sin6_port); 2740 /* 2741 * This is a special case that is safely ignored. 2742 */ 2743 if (port == 0) 2744 return; 2745 2746 /* 2747 * Look for an existing port list entry. 2748 * This is an indication that a port is getting reused. 2749 */ 2750 rcu_read_lock(); 2751 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2752 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2753 continue; 2754 if (spp->smk_can_reuse != 1) { 2755 rcu_read_unlock(); 2756 return; 2757 } 2758 spp->smk_port = port; 2759 spp->smk_sock = sk; 2760 spp->smk_in = ssp->smk_in; 2761 spp->smk_out = ssp->smk_out; 2762 spp->smk_can_reuse = 0; 2763 rcu_read_unlock(); 2764 return; 2765 } 2766 rcu_read_unlock(); 2767 /* 2768 * A new port entry is required. 2769 */ 2770 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2771 if (spp == NULL) 2772 return; 2773 2774 spp->smk_port = port; 2775 spp->smk_sock = sk; 2776 spp->smk_in = ssp->smk_in; 2777 spp->smk_out = ssp->smk_out; 2778 spp->smk_sock_type = sock->type; 2779 spp->smk_can_reuse = 0; 2780 2781 mutex_lock(&smack_ipv6_lock); 2782 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2783 mutex_unlock(&smack_ipv6_lock); 2784 return; 2785 } 2786 2787 /** 2788 * smk_ipv6_port_check - check Smack port access 2789 * @sk: socket 2790 * @address: address 2791 * @act: the action being taken 2792 * 2793 * Create or update the port list entry 2794 */ 2795 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2796 int act) 2797 { 2798 struct smk_port_label *spp; 2799 struct socket_smack *ssp = smack_sock(sk); 2800 struct smack_known *skp = NULL; 2801 unsigned short port; 2802 struct smack_known *object; 2803 2804 if (act == SMK_RECEIVING) { 2805 skp = smack_ipv6host_label(address); 2806 object = ssp->smk_in; 2807 } else { 2808 skp = ssp->smk_out; 2809 object = smack_ipv6host_label(address); 2810 } 2811 2812 /* 2813 * The other end is a single label host. 2814 */ 2815 if (skp != NULL && object != NULL) 2816 return smk_ipv6_check(skp, object, address, act); 2817 if (skp == NULL) 2818 skp = smack_net_ambient; 2819 if (object == NULL) 2820 object = smack_net_ambient; 2821 2822 /* 2823 * It's remote, so port lookup does no good. 2824 */ 2825 if (!smk_ipv6_localhost(address)) 2826 return smk_ipv6_check(skp, object, address, act); 2827 2828 /* 2829 * It's local so the send check has to have passed. 2830 */ 2831 if (act == SMK_RECEIVING) 2832 return 0; 2833 2834 port = ntohs(address->sin6_port); 2835 rcu_read_lock(); 2836 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2837 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2838 continue; 2839 object = spp->smk_in; 2840 if (act == SMK_CONNECTING) 2841 ssp->smk_packet = spp->smk_out; 2842 break; 2843 } 2844 rcu_read_unlock(); 2845 2846 return smk_ipv6_check(skp, object, address, act); 2847 } 2848 #endif 2849 2850 /** 2851 * smack_inode_setsecurity - set smack xattrs 2852 * @inode: the object 2853 * @name: attribute name 2854 * @value: attribute value 2855 * @size: size of the attribute 2856 * @flags: unused 2857 * 2858 * Sets the named attribute in the appropriate blob 2859 * 2860 * Returns 0 on success, or an error code 2861 */ 2862 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2863 const void *value, size_t size, int flags) 2864 { 2865 struct smack_known *skp; 2866 struct inode_smack *nsp = smack_inode(inode); 2867 struct socket_smack *ssp; 2868 struct socket *sock; 2869 int rc = 0; 2870 2871 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2872 return -EINVAL; 2873 2874 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2875 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2876 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2877 return -EINVAL; 2878 2879 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2880 return 0; 2881 } 2882 2883 skp = smk_import_entry(value, size); 2884 if (IS_ERR(skp)) 2885 return PTR_ERR(skp); 2886 2887 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2888 nsp->smk_inode = skp; 2889 nsp->smk_flags |= SMK_INODE_INSTANT; 2890 return 0; 2891 } 2892 /* 2893 * The rest of the Smack xattrs are only on sockets. 2894 */ 2895 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2896 return -EOPNOTSUPP; 2897 2898 sock = SOCKET_I(inode); 2899 if (sock == NULL || sock->sk == NULL) 2900 return -EOPNOTSUPP; 2901 2902 ssp = smack_sock(sock->sk); 2903 2904 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2905 ssp->smk_in = skp; 2906 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2907 ssp->smk_out = skp; 2908 if (sock->sk->sk_family == PF_INET) { 2909 rc = smack_netlbl_add(sock->sk); 2910 if (rc != 0) 2911 printk(KERN_WARNING 2912 "Smack: \"%s\" netlbl error %d.\n", 2913 __func__, -rc); 2914 } 2915 } else 2916 return -EOPNOTSUPP; 2917 2918 #ifdef SMACK_IPV6_PORT_LABELING 2919 if (sock->sk->sk_family == PF_INET6) 2920 smk_ipv6_port_label(sock, NULL); 2921 #endif 2922 2923 return 0; 2924 } 2925 2926 /** 2927 * smack_socket_post_create - finish socket setup 2928 * @sock: the socket 2929 * @family: protocol family 2930 * @type: unused 2931 * @protocol: unused 2932 * @kern: unused 2933 * 2934 * Sets the netlabel information on the socket 2935 * 2936 * Returns 0 on success, and error code otherwise 2937 */ 2938 static int smack_socket_post_create(struct socket *sock, int family, 2939 int type, int protocol, int kern) 2940 { 2941 struct socket_smack *ssp; 2942 2943 if (sock->sk == NULL) 2944 return 0; 2945 2946 /* 2947 * Sockets created by kernel threads receive web label. 2948 */ 2949 if (unlikely(current->flags & PF_KTHREAD)) { 2950 ssp = smack_sock(sock->sk); 2951 ssp->smk_in = &smack_known_web; 2952 ssp->smk_out = &smack_known_web; 2953 } 2954 2955 if (family != PF_INET) 2956 return 0; 2957 /* 2958 * Set the outbound netlbl. 2959 */ 2960 return smack_netlbl_add(sock->sk); 2961 } 2962 2963 /** 2964 * smack_socket_socketpair - create socket pair 2965 * @socka: one socket 2966 * @sockb: another socket 2967 * 2968 * Cross reference the peer labels for SO_PEERSEC 2969 * 2970 * Returns 0 2971 */ 2972 static int smack_socket_socketpair(struct socket *socka, 2973 struct socket *sockb) 2974 { 2975 struct socket_smack *asp = smack_sock(socka->sk); 2976 struct socket_smack *bsp = smack_sock(sockb->sk); 2977 2978 asp->smk_packet = bsp->smk_out; 2979 bsp->smk_packet = asp->smk_out; 2980 2981 return 0; 2982 } 2983 2984 #ifdef SMACK_IPV6_PORT_LABELING 2985 /** 2986 * smack_socket_bind - record port binding information. 2987 * @sock: the socket 2988 * @address: the port address 2989 * @addrlen: size of the address 2990 * 2991 * Records the label bound to a port. 2992 * 2993 * Returns 0 on success, and error code otherwise 2994 */ 2995 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2996 int addrlen) 2997 { 2998 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2999 if (addrlen < SIN6_LEN_RFC2133 || 3000 address->sa_family != AF_INET6) 3001 return -EINVAL; 3002 smk_ipv6_port_label(sock, address); 3003 } 3004 return 0; 3005 } 3006 #endif /* SMACK_IPV6_PORT_LABELING */ 3007 3008 /** 3009 * smack_socket_connect - connect access check 3010 * @sock: the socket 3011 * @sap: the other end 3012 * @addrlen: size of sap 3013 * 3014 * Verifies that a connection may be possible 3015 * 3016 * Returns 0 on success, and error code otherwise 3017 */ 3018 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3019 int addrlen) 3020 { 3021 int rc = 0; 3022 3023 if (sock->sk == NULL) 3024 return 0; 3025 if (sock->sk->sk_family != PF_INET && 3026 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3027 return 0; 3028 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3029 return 0; 3030 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3031 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3032 struct smack_known *rsp = NULL; 3033 3034 if (addrlen < SIN6_LEN_RFC2133) 3035 return 0; 3036 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3037 rsp = smack_ipv6host_label(sip); 3038 if (rsp != NULL) { 3039 struct socket_smack *ssp = smack_sock(sock->sk); 3040 3041 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3042 SMK_CONNECTING); 3043 } 3044 #ifdef SMACK_IPV6_PORT_LABELING 3045 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3046 #endif 3047 3048 return rc; 3049 } 3050 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3051 return 0; 3052 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3053 return rc; 3054 } 3055 3056 /** 3057 * smack_flags_to_may - convert S_ to MAY_ values 3058 * @flags: the S_ value 3059 * 3060 * Returns the equivalent MAY_ value 3061 */ 3062 static int smack_flags_to_may(int flags) 3063 { 3064 int may = 0; 3065 3066 if (flags & S_IRUGO) 3067 may |= MAY_READ; 3068 if (flags & S_IWUGO) 3069 may |= MAY_WRITE; 3070 if (flags & S_IXUGO) 3071 may |= MAY_EXEC; 3072 3073 return may; 3074 } 3075 3076 /** 3077 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3078 * @msg: the object 3079 * 3080 * Returns 0 3081 */ 3082 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3083 { 3084 struct smack_known **blob = smack_msg_msg(msg); 3085 3086 *blob = smk_of_current(); 3087 return 0; 3088 } 3089 3090 /** 3091 * smack_of_ipc - the smack pointer for the ipc 3092 * @isp: the object 3093 * 3094 * Returns a pointer to the smack value 3095 */ 3096 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3097 { 3098 struct smack_known **blob = smack_ipc(isp); 3099 3100 return *blob; 3101 } 3102 3103 /** 3104 * smack_ipc_alloc_security - Set the security blob for ipc 3105 * @isp: the object 3106 * 3107 * Returns 0 3108 */ 3109 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3110 { 3111 struct smack_known **blob = smack_ipc(isp); 3112 3113 *blob = smk_of_current(); 3114 return 0; 3115 } 3116 3117 /** 3118 * smk_curacc_shm : check if current has access on shm 3119 * @isp : the object 3120 * @access : access requested 3121 * 3122 * Returns 0 if current has the requested access, error code otherwise 3123 */ 3124 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3125 { 3126 struct smack_known *ssp = smack_of_ipc(isp); 3127 struct smk_audit_info ad; 3128 int rc; 3129 3130 #ifdef CONFIG_AUDIT 3131 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3132 ad.a.u.ipc_id = isp->id; 3133 #endif 3134 rc = smk_curacc(ssp, access, &ad); 3135 rc = smk_bu_current("shm", ssp, access, rc); 3136 return rc; 3137 } 3138 3139 /** 3140 * smack_shm_associate - Smack access check for shm 3141 * @isp: the object 3142 * @shmflg: access requested 3143 * 3144 * Returns 0 if current has the requested access, error code otherwise 3145 */ 3146 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3147 { 3148 int may; 3149 3150 may = smack_flags_to_may(shmflg); 3151 return smk_curacc_shm(isp, may); 3152 } 3153 3154 /** 3155 * smack_shm_shmctl - Smack access check for shm 3156 * @isp: the object 3157 * @cmd: what it wants to do 3158 * 3159 * Returns 0 if current has the requested access, error code otherwise 3160 */ 3161 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3162 { 3163 int may; 3164 3165 switch (cmd) { 3166 case IPC_STAT: 3167 case SHM_STAT: 3168 case SHM_STAT_ANY: 3169 may = MAY_READ; 3170 break; 3171 case IPC_SET: 3172 case SHM_LOCK: 3173 case SHM_UNLOCK: 3174 case IPC_RMID: 3175 may = MAY_READWRITE; 3176 break; 3177 case IPC_INFO: 3178 case SHM_INFO: 3179 /* 3180 * System level information. 3181 */ 3182 return 0; 3183 default: 3184 return -EINVAL; 3185 } 3186 return smk_curacc_shm(isp, may); 3187 } 3188 3189 /** 3190 * smack_shm_shmat - Smack access for shmat 3191 * @isp: the object 3192 * @shmaddr: unused 3193 * @shmflg: access requested 3194 * 3195 * Returns 0 if current has the requested access, error code otherwise 3196 */ 3197 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3198 int shmflg) 3199 { 3200 int may; 3201 3202 may = smack_flags_to_may(shmflg); 3203 return smk_curacc_shm(isp, may); 3204 } 3205 3206 /** 3207 * smk_curacc_sem : check if current has access on sem 3208 * @isp : the object 3209 * @access : access requested 3210 * 3211 * Returns 0 if current has the requested access, error code otherwise 3212 */ 3213 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3214 { 3215 struct smack_known *ssp = smack_of_ipc(isp); 3216 struct smk_audit_info ad; 3217 int rc; 3218 3219 #ifdef CONFIG_AUDIT 3220 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3221 ad.a.u.ipc_id = isp->id; 3222 #endif 3223 rc = smk_curacc(ssp, access, &ad); 3224 rc = smk_bu_current("sem", ssp, access, rc); 3225 return rc; 3226 } 3227 3228 /** 3229 * smack_sem_associate - Smack access check for sem 3230 * @isp: the object 3231 * @semflg: access requested 3232 * 3233 * Returns 0 if current has the requested access, error code otherwise 3234 */ 3235 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3236 { 3237 int may; 3238 3239 may = smack_flags_to_may(semflg); 3240 return smk_curacc_sem(isp, may); 3241 } 3242 3243 /** 3244 * smack_sem_semctl - Smack access check for sem 3245 * @isp: the object 3246 * @cmd: what it wants to do 3247 * 3248 * Returns 0 if current has the requested access, error code otherwise 3249 */ 3250 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3251 { 3252 int may; 3253 3254 switch (cmd) { 3255 case GETPID: 3256 case GETNCNT: 3257 case GETZCNT: 3258 case GETVAL: 3259 case GETALL: 3260 case IPC_STAT: 3261 case SEM_STAT: 3262 case SEM_STAT_ANY: 3263 may = MAY_READ; 3264 break; 3265 case SETVAL: 3266 case SETALL: 3267 case IPC_RMID: 3268 case IPC_SET: 3269 may = MAY_READWRITE; 3270 break; 3271 case IPC_INFO: 3272 case SEM_INFO: 3273 /* 3274 * System level information 3275 */ 3276 return 0; 3277 default: 3278 return -EINVAL; 3279 } 3280 3281 return smk_curacc_sem(isp, may); 3282 } 3283 3284 /** 3285 * smack_sem_semop - Smack checks of semaphore operations 3286 * @isp: the object 3287 * @sops: unused 3288 * @nsops: unused 3289 * @alter: unused 3290 * 3291 * Treated as read and write in all cases. 3292 * 3293 * Returns 0 if access is allowed, error code otherwise 3294 */ 3295 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3296 unsigned nsops, int alter) 3297 { 3298 return smk_curacc_sem(isp, MAY_READWRITE); 3299 } 3300 3301 /** 3302 * smk_curacc_msq : helper to check if current has access on msq 3303 * @isp : the msq 3304 * @access : access requested 3305 * 3306 * return 0 if current has access, error otherwise 3307 */ 3308 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3309 { 3310 struct smack_known *msp = smack_of_ipc(isp); 3311 struct smk_audit_info ad; 3312 int rc; 3313 3314 #ifdef CONFIG_AUDIT 3315 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3316 ad.a.u.ipc_id = isp->id; 3317 #endif 3318 rc = smk_curacc(msp, access, &ad); 3319 rc = smk_bu_current("msq", msp, access, rc); 3320 return rc; 3321 } 3322 3323 /** 3324 * smack_msg_queue_associate - Smack access check for msg_queue 3325 * @isp: the object 3326 * @msqflg: access requested 3327 * 3328 * Returns 0 if current has the requested access, error code otherwise 3329 */ 3330 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3331 { 3332 int may; 3333 3334 may = smack_flags_to_may(msqflg); 3335 return smk_curacc_msq(isp, may); 3336 } 3337 3338 /** 3339 * smack_msg_queue_msgctl - Smack access check for msg_queue 3340 * @isp: the object 3341 * @cmd: what it wants to do 3342 * 3343 * Returns 0 if current has the requested access, error code otherwise 3344 */ 3345 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3346 { 3347 int may; 3348 3349 switch (cmd) { 3350 case IPC_STAT: 3351 case MSG_STAT: 3352 case MSG_STAT_ANY: 3353 may = MAY_READ; 3354 break; 3355 case IPC_SET: 3356 case IPC_RMID: 3357 may = MAY_READWRITE; 3358 break; 3359 case IPC_INFO: 3360 case MSG_INFO: 3361 /* 3362 * System level information 3363 */ 3364 return 0; 3365 default: 3366 return -EINVAL; 3367 } 3368 3369 return smk_curacc_msq(isp, may); 3370 } 3371 3372 /** 3373 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3374 * @isp: the object 3375 * @msg: unused 3376 * @msqflg: access requested 3377 * 3378 * Returns 0 if current has the requested access, error code otherwise 3379 */ 3380 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3381 int msqflg) 3382 { 3383 int may; 3384 3385 may = smack_flags_to_may(msqflg); 3386 return smk_curacc_msq(isp, may); 3387 } 3388 3389 /** 3390 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3391 * @isp: the object 3392 * @msg: unused 3393 * @target: unused 3394 * @type: unused 3395 * @mode: unused 3396 * 3397 * Returns 0 if current has read and write access, error code otherwise 3398 */ 3399 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3400 struct msg_msg *msg, 3401 struct task_struct *target, long type, 3402 int mode) 3403 { 3404 return smk_curacc_msq(isp, MAY_READWRITE); 3405 } 3406 3407 /** 3408 * smack_ipc_permission - Smack access for ipc_permission() 3409 * @ipp: the object permissions 3410 * @flag: access requested 3411 * 3412 * Returns 0 if current has read and write access, error code otherwise 3413 */ 3414 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3415 { 3416 struct smack_known **blob = smack_ipc(ipp); 3417 struct smack_known *iskp = *blob; 3418 int may = smack_flags_to_may(flag); 3419 struct smk_audit_info ad; 3420 int rc; 3421 3422 #ifdef CONFIG_AUDIT 3423 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3424 ad.a.u.ipc_id = ipp->id; 3425 #endif 3426 rc = smk_curacc(iskp, may, &ad); 3427 rc = smk_bu_current("svipc", iskp, may, rc); 3428 return rc; 3429 } 3430 3431 /** 3432 * smack_ipc_getlsmprop - Extract smack security data 3433 * @ipp: the object permissions 3434 * @prop: where result will be saved 3435 */ 3436 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3437 { 3438 struct smack_known **iskpp = smack_ipc(ipp); 3439 3440 prop->smack.skp = *iskpp; 3441 } 3442 3443 /** 3444 * smack_d_instantiate - Make sure the blob is correct on an inode 3445 * @opt_dentry: dentry where inode will be attached 3446 * @inode: the object 3447 * 3448 * Set the inode's security blob if it hasn't been done already. 3449 */ 3450 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3451 { 3452 struct super_block *sbp; 3453 struct superblock_smack *sbsp; 3454 struct inode_smack *isp; 3455 struct smack_known *skp; 3456 struct smack_known *ckp = smk_of_current(); 3457 struct smack_known *final; 3458 char trattr[TRANS_TRUE_SIZE]; 3459 int transflag = 0; 3460 int rc; 3461 struct dentry *dp; 3462 3463 if (inode == NULL) 3464 return; 3465 3466 isp = smack_inode(inode); 3467 3468 /* 3469 * If the inode is already instantiated 3470 * take the quick way out 3471 */ 3472 if (isp->smk_flags & SMK_INODE_INSTANT) 3473 return; 3474 3475 sbp = inode->i_sb; 3476 sbsp = smack_superblock(sbp); 3477 /* 3478 * We're going to use the superblock default label 3479 * if there's no label on the file. 3480 */ 3481 final = sbsp->smk_default; 3482 3483 /* 3484 * If this is the root inode the superblock 3485 * may be in the process of initialization. 3486 * If that is the case use the root value out 3487 * of the superblock. 3488 */ 3489 if (opt_dentry->d_parent == opt_dentry) { 3490 switch (sbp->s_magic) { 3491 case CGROUP_SUPER_MAGIC: 3492 case CGROUP2_SUPER_MAGIC: 3493 /* 3494 * The cgroup filesystem is never mounted, 3495 * so there's no opportunity to set the mount 3496 * options. 3497 */ 3498 sbsp->smk_root = &smack_known_star; 3499 sbsp->smk_default = &smack_known_star; 3500 isp->smk_inode = sbsp->smk_root; 3501 break; 3502 case TMPFS_MAGIC: 3503 /* 3504 * What about shmem/tmpfs anonymous files with dentry 3505 * obtained from d_alloc_pseudo()? 3506 */ 3507 isp->smk_inode = smk_of_current(); 3508 break; 3509 case PIPEFS_MAGIC: 3510 isp->smk_inode = smk_of_current(); 3511 break; 3512 case SOCKFS_MAGIC: 3513 /* 3514 * Socket access is controlled by the socket 3515 * structures associated with the task involved. 3516 */ 3517 isp->smk_inode = &smack_known_star; 3518 break; 3519 default: 3520 isp->smk_inode = sbsp->smk_root; 3521 break; 3522 } 3523 isp->smk_flags |= SMK_INODE_INSTANT; 3524 return; 3525 } 3526 3527 /* 3528 * This is pretty hackish. 3529 * Casey says that we shouldn't have to do 3530 * file system specific code, but it does help 3531 * with keeping it simple. 3532 */ 3533 switch (sbp->s_magic) { 3534 case SMACK_MAGIC: 3535 case CGROUP_SUPER_MAGIC: 3536 case CGROUP2_SUPER_MAGIC: 3537 /* 3538 * Casey says that it's a little embarrassing 3539 * that the smack file system doesn't do 3540 * extended attributes. 3541 * 3542 * Cgroupfs is special 3543 */ 3544 final = &smack_known_star; 3545 break; 3546 case DEVPTS_SUPER_MAGIC: 3547 /* 3548 * devpts seems content with the label of the task. 3549 * Programs that change smack have to treat the 3550 * pty with respect. 3551 */ 3552 final = ckp; 3553 break; 3554 case PROC_SUPER_MAGIC: 3555 /* 3556 * Casey says procfs appears not to care. 3557 * The superblock default suffices. 3558 */ 3559 break; 3560 case TMPFS_MAGIC: 3561 /* 3562 * Device labels should come from the filesystem, 3563 * but watch out, because they're volitile, 3564 * getting recreated on every reboot. 3565 */ 3566 final = &smack_known_star; 3567 /* 3568 * If a smack value has been set we want to use it, 3569 * but since tmpfs isn't giving us the opportunity 3570 * to set mount options simulate setting the 3571 * superblock default. 3572 */ 3573 fallthrough; 3574 default: 3575 /* 3576 * This isn't an understood special case. 3577 * Get the value from the xattr. 3578 */ 3579 3580 /* 3581 * UNIX domain sockets use lower level socket data. 3582 */ 3583 if (S_ISSOCK(inode->i_mode)) { 3584 final = &smack_known_star; 3585 break; 3586 } 3587 /* 3588 * No xattr support means, alas, no SMACK label. 3589 * Use the aforeapplied default. 3590 * It would be curious if the label of the task 3591 * does not match that assigned. 3592 */ 3593 if (!(inode->i_opflags & IOP_XATTR)) 3594 break; 3595 /* 3596 * Get the dentry for xattr. 3597 */ 3598 dp = dget(opt_dentry); 3599 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3600 if (!IS_ERR_OR_NULL(skp)) 3601 final = skp; 3602 3603 /* 3604 * Transmuting directory 3605 */ 3606 if (S_ISDIR(inode->i_mode)) { 3607 /* 3608 * If this is a new directory and the label was 3609 * transmuted when the inode was initialized 3610 * set the transmute attribute on the directory 3611 * and mark the inode. 3612 * 3613 * If there is a transmute attribute on the 3614 * directory mark the inode. 3615 */ 3616 rc = __vfs_getxattr(dp, inode, 3617 XATTR_NAME_SMACKTRANSMUTE, trattr, 3618 TRANS_TRUE_SIZE); 3619 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3620 TRANS_TRUE_SIZE) != 0) 3621 rc = -EINVAL; 3622 if (rc >= 0) 3623 transflag = SMK_INODE_TRANSMUTE; 3624 } 3625 /* 3626 * Don't let the exec or mmap label be "*" or "@". 3627 */ 3628 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3629 if (IS_ERR(skp) || skp == &smack_known_star || 3630 skp == &smack_known_web) 3631 skp = NULL; 3632 isp->smk_task = skp; 3633 3634 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3635 if (IS_ERR(skp) || skp == &smack_known_star || 3636 skp == &smack_known_web) 3637 skp = NULL; 3638 isp->smk_mmap = skp; 3639 3640 dput(dp); 3641 break; 3642 } 3643 3644 if (final == NULL) 3645 isp->smk_inode = ckp; 3646 else 3647 isp->smk_inode = final; 3648 3649 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3650 3651 return; 3652 } 3653 3654 /** 3655 * smack_getselfattr - Smack current process attribute 3656 * @attr: which attribute to fetch 3657 * @ctx: buffer to receive the result 3658 * @size: available size in, actual size out 3659 * @flags: unused 3660 * 3661 * Fill the passed user space @ctx with the details of the requested 3662 * attribute. 3663 * 3664 * Returns the number of attributes on success, an error code otherwise. 3665 * There will only ever be one attribute. 3666 */ 3667 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3668 u32 *size, u32 flags) 3669 { 3670 int rc; 3671 struct smack_known *skp; 3672 3673 if (attr != LSM_ATTR_CURRENT) 3674 return -EOPNOTSUPP; 3675 3676 skp = smk_of_current(); 3677 rc = lsm_fill_user_ctx(ctx, size, 3678 skp->smk_known, strlen(skp->smk_known) + 1, 3679 LSM_ID_SMACK, 0); 3680 return (!rc ? 1 : rc); 3681 } 3682 3683 /** 3684 * smack_getprocattr - Smack process attribute access 3685 * @p: the object task 3686 * @name: the name of the attribute in /proc/.../attr 3687 * @value: where to put the result 3688 * 3689 * Places a copy of the task Smack into value 3690 * 3691 * Returns the length of the smack label or an error code 3692 */ 3693 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3694 { 3695 struct smack_known *skp = smk_of_task_struct_obj(p); 3696 char *cp; 3697 int slen; 3698 3699 if (strcmp(name, "current") != 0) 3700 return -EINVAL; 3701 3702 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3703 if (cp == NULL) 3704 return -ENOMEM; 3705 3706 slen = strlen(cp); 3707 *value = cp; 3708 return slen; 3709 } 3710 3711 /** 3712 * do_setattr - Smack process attribute setting 3713 * @attr: the ID of the attribute 3714 * @value: the value to set 3715 * @size: the size of the value 3716 * 3717 * Sets the Smack value of the task. Only setting self 3718 * is permitted and only with privilege 3719 * 3720 * Returns the length of the smack label or an error code 3721 */ 3722 static int do_setattr(u64 attr, void *value, size_t size) 3723 { 3724 struct task_smack *tsp = smack_cred(current_cred()); 3725 struct cred *new; 3726 struct smack_known *skp; 3727 struct smack_known_list_elem *sklep; 3728 int rc; 3729 3730 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3731 return -EPERM; 3732 3733 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3734 return -EINVAL; 3735 3736 if (attr != LSM_ATTR_CURRENT) 3737 return -EOPNOTSUPP; 3738 3739 skp = smk_import_entry(value, size); 3740 if (IS_ERR(skp)) 3741 return PTR_ERR(skp); 3742 3743 /* 3744 * No process is ever allowed the web ("@") label 3745 * and the star ("*") label. 3746 */ 3747 if (skp == &smack_known_web || skp == &smack_known_star) 3748 return -EINVAL; 3749 3750 if (!smack_privileged(CAP_MAC_ADMIN)) { 3751 rc = -EPERM; 3752 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3753 if (sklep->smk_label == skp) { 3754 rc = 0; 3755 break; 3756 } 3757 if (rc) 3758 return rc; 3759 } 3760 3761 new = prepare_creds(); 3762 if (new == NULL) 3763 return -ENOMEM; 3764 3765 tsp = smack_cred(new); 3766 tsp->smk_task = skp; 3767 /* 3768 * process can change its label only once 3769 */ 3770 smk_destroy_label_list(&tsp->smk_relabel); 3771 3772 commit_creds(new); 3773 return size; 3774 } 3775 3776 /** 3777 * smack_setselfattr - Set a Smack process attribute 3778 * @attr: which attribute to set 3779 * @ctx: buffer containing the data 3780 * @size: size of @ctx 3781 * @flags: unused 3782 * 3783 * Fill the passed user space @ctx with the details of the requested 3784 * attribute. 3785 * 3786 * Returns 0 on success, an error code otherwise. 3787 */ 3788 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3789 u32 size, u32 flags) 3790 { 3791 int rc; 3792 3793 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3794 if (rc > 0) 3795 return 0; 3796 return rc; 3797 } 3798 3799 /** 3800 * smack_setprocattr - Smack process attribute setting 3801 * @name: the name of the attribute in /proc/.../attr 3802 * @value: the value to set 3803 * @size: the size of the value 3804 * 3805 * Sets the Smack value of the task. Only setting self 3806 * is permitted and only with privilege 3807 * 3808 * Returns the length of the smack label or an error code 3809 */ 3810 static int smack_setprocattr(const char *name, void *value, size_t size) 3811 { 3812 int attr = lsm_name_to_attr(name); 3813 3814 if (attr != LSM_ATTR_UNDEF) 3815 return do_setattr(attr, value, size); 3816 return -EINVAL; 3817 } 3818 3819 /** 3820 * smack_unix_stream_connect - Smack access on UDS 3821 * @sock: one sock 3822 * @other: the other sock 3823 * @newsk: unused 3824 * 3825 * Return 0 if a subject with the smack of sock could access 3826 * an object with the smack of other, otherwise an error code 3827 */ 3828 static int smack_unix_stream_connect(struct sock *sock, 3829 struct sock *other, struct sock *newsk) 3830 { 3831 struct smack_known *skp; 3832 struct smack_known *okp; 3833 struct socket_smack *ssp = smack_sock(sock); 3834 struct socket_smack *osp = smack_sock(other); 3835 struct socket_smack *nsp = smack_sock(newsk); 3836 struct smk_audit_info ad; 3837 int rc = 0; 3838 #ifdef CONFIG_AUDIT 3839 struct lsm_network_audit net; 3840 #endif 3841 3842 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3843 skp = ssp->smk_out; 3844 okp = osp->smk_in; 3845 #ifdef CONFIG_AUDIT 3846 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3847 smk_ad_setfield_u_net_sk(&ad, other); 3848 #endif 3849 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3850 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3851 if (rc == 0) { 3852 okp = osp->smk_out; 3853 skp = ssp->smk_in; 3854 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3855 rc = smk_bu_note("UDS connect", okp, skp, 3856 MAY_WRITE, rc); 3857 } 3858 } 3859 3860 if (rc == 0) { 3861 /* 3862 * Cross reference the peer labels for SO_PEERSEC. 3863 */ 3864 nsp->smk_packet = ssp->smk_out; 3865 ssp->smk_packet = osp->smk_out; 3866 3867 /* 3868 * new/child/established socket must inherit listening socket labels 3869 */ 3870 nsp->smk_out = osp->smk_out; 3871 nsp->smk_in = osp->smk_in; 3872 } 3873 3874 return rc; 3875 } 3876 3877 /** 3878 * smack_unix_may_send - Smack access on UDS 3879 * @sock: one socket 3880 * @other: the other socket 3881 * 3882 * Return 0 if a subject with the smack of sock could access 3883 * an object with the smack of other, otherwise an error code 3884 */ 3885 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3886 { 3887 struct socket_smack *ssp = smack_sock(sock->sk); 3888 struct socket_smack *osp = smack_sock(other->sk); 3889 struct smk_audit_info ad; 3890 int rc; 3891 3892 #ifdef CONFIG_AUDIT 3893 struct lsm_network_audit net; 3894 3895 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3896 smk_ad_setfield_u_net_sk(&ad, other->sk); 3897 #endif 3898 3899 if (smack_privileged(CAP_MAC_OVERRIDE)) 3900 return 0; 3901 3902 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3903 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3904 return rc; 3905 } 3906 3907 /** 3908 * smack_socket_sendmsg - Smack check based on destination host 3909 * @sock: the socket 3910 * @msg: the message 3911 * @size: the size of the message 3912 * 3913 * Return 0 if the current subject can write to the destination host. 3914 * For IPv4 this is only a question if the destination is a single label host. 3915 * For IPv6 this is a check against the label of the port. 3916 */ 3917 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3918 int size) 3919 { 3920 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3921 #if IS_ENABLED(CONFIG_IPV6) 3922 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3923 #endif 3924 #ifdef SMACK_IPV6_SECMARK_LABELING 3925 struct socket_smack *ssp = smack_sock(sock->sk); 3926 struct smack_known *rsp; 3927 #endif 3928 int rc = 0; 3929 3930 /* 3931 * Perfectly reasonable for this to be NULL 3932 */ 3933 if (sip == NULL) 3934 return 0; 3935 3936 switch (sock->sk->sk_family) { 3937 case AF_INET: 3938 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3939 sip->sin_family != AF_INET) 3940 return -EINVAL; 3941 rc = smk_ipv4_check(sock->sk, sip); 3942 break; 3943 #if IS_ENABLED(CONFIG_IPV6) 3944 case AF_INET6: 3945 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3946 sap->sin6_family != AF_INET6) 3947 return -EINVAL; 3948 #ifdef SMACK_IPV6_SECMARK_LABELING 3949 rsp = smack_ipv6host_label(sap); 3950 if (rsp != NULL) 3951 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3952 SMK_CONNECTING); 3953 #endif 3954 #ifdef SMACK_IPV6_PORT_LABELING 3955 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3956 #endif 3957 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3958 break; 3959 } 3960 return rc; 3961 } 3962 3963 /** 3964 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3965 * @sap: netlabel secattr 3966 * @ssp: socket security information 3967 * 3968 * Returns a pointer to a Smack label entry found on the label list. 3969 */ 3970 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3971 struct socket_smack *ssp) 3972 { 3973 struct smack_known *skp; 3974 int found = 0; 3975 int acat; 3976 int kcat; 3977 3978 /* 3979 * Netlabel found it in the cache. 3980 */ 3981 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3982 return (struct smack_known *)sap->cache->data; 3983 3984 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3985 /* 3986 * Looks like a fallback, which gives us a secid. 3987 */ 3988 return smack_from_secid(sap->attr.secid); 3989 3990 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3991 /* 3992 * Looks like a CIPSO packet. 3993 * If there are flags but no level netlabel isn't 3994 * behaving the way we expect it to. 3995 * 3996 * Look it up in the label table 3997 * Without guidance regarding the smack value 3998 * for the packet fall back on the network 3999 * ambient value. 4000 */ 4001 rcu_read_lock(); 4002 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4003 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4004 continue; 4005 /* 4006 * Compare the catsets. Use the netlbl APIs. 4007 */ 4008 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4009 if ((skp->smk_netlabel.flags & 4010 NETLBL_SECATTR_MLS_CAT) == 0) 4011 found = 1; 4012 break; 4013 } 4014 for (acat = -1, kcat = -1; acat == kcat; ) { 4015 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4016 acat + 1); 4017 kcat = netlbl_catmap_walk( 4018 skp->smk_netlabel.attr.mls.cat, 4019 kcat + 1); 4020 if (acat < 0 || kcat < 0) 4021 break; 4022 } 4023 if (acat == kcat) { 4024 found = 1; 4025 break; 4026 } 4027 } 4028 rcu_read_unlock(); 4029 4030 if (found) 4031 return skp; 4032 4033 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4034 return &smack_known_web; 4035 return &smack_known_star; 4036 } 4037 /* 4038 * Without guidance regarding the smack value 4039 * for the packet fall back on the network 4040 * ambient value. 4041 */ 4042 return smack_net_ambient; 4043 } 4044 4045 #if IS_ENABLED(CONFIG_IPV6) 4046 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4047 { 4048 u8 nexthdr; 4049 int offset; 4050 int proto = -EINVAL; 4051 struct ipv6hdr _ipv6h; 4052 struct ipv6hdr *ip6; 4053 __be16 frag_off; 4054 struct tcphdr _tcph, *th; 4055 struct udphdr _udph, *uh; 4056 struct dccp_hdr _dccph, *dh; 4057 4058 sip->sin6_port = 0; 4059 4060 offset = skb_network_offset(skb); 4061 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4062 if (ip6 == NULL) 4063 return -EINVAL; 4064 sip->sin6_addr = ip6->saddr; 4065 4066 nexthdr = ip6->nexthdr; 4067 offset += sizeof(_ipv6h); 4068 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4069 if (offset < 0) 4070 return -EINVAL; 4071 4072 proto = nexthdr; 4073 switch (proto) { 4074 case IPPROTO_TCP: 4075 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4076 if (th != NULL) 4077 sip->sin6_port = th->source; 4078 break; 4079 case IPPROTO_UDP: 4080 case IPPROTO_UDPLITE: 4081 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4082 if (uh != NULL) 4083 sip->sin6_port = uh->source; 4084 break; 4085 case IPPROTO_DCCP: 4086 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4087 if (dh != NULL) 4088 sip->sin6_port = dh->dccph_sport; 4089 break; 4090 } 4091 return proto; 4092 } 4093 #endif /* CONFIG_IPV6 */ 4094 4095 /** 4096 * smack_from_skb - Smack data from the secmark in an skb 4097 * @skb: packet 4098 * 4099 * Returns smack_known of the secmark or NULL if that won't work. 4100 */ 4101 #ifdef CONFIG_NETWORK_SECMARK 4102 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4103 { 4104 if (skb == NULL || skb->secmark == 0) 4105 return NULL; 4106 4107 return smack_from_secid(skb->secmark); 4108 } 4109 #else 4110 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4111 { 4112 return NULL; 4113 } 4114 #endif 4115 4116 /** 4117 * smack_from_netlbl - Smack data from the IP options in an skb 4118 * @sk: socket data came in on 4119 * @family: address family 4120 * @skb: packet 4121 * 4122 * Find the Smack label in the IP options. If it hasn't been 4123 * added to the netlabel cache, add it here. 4124 * 4125 * Returns smack_known of the IP options or NULL if that won't work. 4126 */ 4127 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4128 struct sk_buff *skb) 4129 { 4130 struct netlbl_lsm_secattr secattr; 4131 struct socket_smack *ssp = NULL; 4132 struct smack_known *skp = NULL; 4133 4134 netlbl_secattr_init(&secattr); 4135 4136 if (sk) 4137 ssp = smack_sock(sk); 4138 4139 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4140 skp = smack_from_secattr(&secattr, ssp); 4141 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4142 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4143 } 4144 4145 netlbl_secattr_destroy(&secattr); 4146 4147 return skp; 4148 } 4149 4150 /** 4151 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4152 * @sk: socket 4153 * @skb: packet 4154 * 4155 * Returns 0 if the packet should be delivered, an error code otherwise 4156 */ 4157 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4158 { 4159 struct socket_smack *ssp = smack_sock(sk); 4160 struct smack_known *skp = NULL; 4161 int rc = 0; 4162 struct smk_audit_info ad; 4163 u16 family = sk->sk_family; 4164 #ifdef CONFIG_AUDIT 4165 struct lsm_network_audit net; 4166 #endif 4167 #if IS_ENABLED(CONFIG_IPV6) 4168 struct sockaddr_in6 sadd; 4169 int proto; 4170 4171 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4172 family = PF_INET; 4173 #endif /* CONFIG_IPV6 */ 4174 4175 switch (family) { 4176 case PF_INET: 4177 /* 4178 * If there is a secmark use it rather than the CIPSO label. 4179 * If there is no secmark fall back to CIPSO. 4180 * The secmark is assumed to reflect policy better. 4181 */ 4182 skp = smack_from_skb(skb); 4183 if (skp == NULL) { 4184 skp = smack_from_netlbl(sk, family, skb); 4185 if (skp == NULL) 4186 skp = smack_net_ambient; 4187 } 4188 4189 #ifdef CONFIG_AUDIT 4190 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4191 ad.a.u.net->family = family; 4192 ad.a.u.net->netif = skb->skb_iif; 4193 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4194 #endif 4195 /* 4196 * Receiving a packet requires that the other end 4197 * be able to write here. Read access is not required. 4198 * This is the simplist possible security model 4199 * for networking. 4200 */ 4201 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4202 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4203 MAY_WRITE, rc); 4204 if (rc != 0) 4205 netlbl_skbuff_err(skb, family, rc, 0); 4206 break; 4207 #if IS_ENABLED(CONFIG_IPV6) 4208 case PF_INET6: 4209 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4210 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4211 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4212 break; 4213 #ifdef SMACK_IPV6_SECMARK_LABELING 4214 skp = smack_from_skb(skb); 4215 if (skp == NULL) { 4216 if (smk_ipv6_localhost(&sadd)) 4217 break; 4218 skp = smack_ipv6host_label(&sadd); 4219 if (skp == NULL) 4220 skp = smack_net_ambient; 4221 } 4222 #ifdef CONFIG_AUDIT 4223 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4224 ad.a.u.net->family = family; 4225 ad.a.u.net->netif = skb->skb_iif; 4226 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4227 #endif /* CONFIG_AUDIT */ 4228 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4229 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4230 MAY_WRITE, rc); 4231 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4232 #ifdef SMACK_IPV6_PORT_LABELING 4233 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4234 #endif /* SMACK_IPV6_PORT_LABELING */ 4235 if (rc != 0) 4236 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4237 ICMPV6_ADM_PROHIBITED, 0); 4238 break; 4239 #endif /* CONFIG_IPV6 */ 4240 } 4241 4242 return rc; 4243 } 4244 4245 /** 4246 * smack_socket_getpeersec_stream - pull in packet label 4247 * @sock: the socket 4248 * @optval: user's destination 4249 * @optlen: size thereof 4250 * @len: max thereof 4251 * 4252 * returns zero on success, an error code otherwise 4253 */ 4254 static int smack_socket_getpeersec_stream(struct socket *sock, 4255 sockptr_t optval, sockptr_t optlen, 4256 unsigned int len) 4257 { 4258 struct socket_smack *ssp; 4259 char *rcp = ""; 4260 u32 slen = 1; 4261 int rc = 0; 4262 4263 ssp = smack_sock(sock->sk); 4264 if (ssp->smk_packet != NULL) { 4265 rcp = ssp->smk_packet->smk_known; 4266 slen = strlen(rcp) + 1; 4267 } 4268 if (slen > len) { 4269 rc = -ERANGE; 4270 goto out_len; 4271 } 4272 4273 if (copy_to_sockptr(optval, rcp, slen)) 4274 rc = -EFAULT; 4275 out_len: 4276 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4277 rc = -EFAULT; 4278 return rc; 4279 } 4280 4281 4282 /** 4283 * smack_socket_getpeersec_dgram - pull in packet label 4284 * @sock: the peer socket 4285 * @skb: packet data 4286 * @secid: pointer to where to put the secid of the packet 4287 * 4288 * Sets the netlabel socket state on sk from parent 4289 */ 4290 static int smack_socket_getpeersec_dgram(struct socket *sock, 4291 struct sk_buff *skb, u32 *secid) 4292 4293 { 4294 struct socket_smack *ssp = NULL; 4295 struct smack_known *skp; 4296 struct sock *sk = NULL; 4297 int family = PF_UNSPEC; 4298 u32 s = 0; /* 0 is the invalid secid */ 4299 4300 if (skb != NULL) { 4301 if (skb->protocol == htons(ETH_P_IP)) 4302 family = PF_INET; 4303 #if IS_ENABLED(CONFIG_IPV6) 4304 else if (skb->protocol == htons(ETH_P_IPV6)) 4305 family = PF_INET6; 4306 #endif /* CONFIG_IPV6 */ 4307 } 4308 if (family == PF_UNSPEC && sock != NULL) 4309 family = sock->sk->sk_family; 4310 4311 switch (family) { 4312 case PF_UNIX: 4313 ssp = smack_sock(sock->sk); 4314 s = ssp->smk_out->smk_secid; 4315 break; 4316 case PF_INET: 4317 skp = smack_from_skb(skb); 4318 if (skp) { 4319 s = skp->smk_secid; 4320 break; 4321 } 4322 /* 4323 * Translate what netlabel gave us. 4324 */ 4325 if (sock != NULL) 4326 sk = sock->sk; 4327 skp = smack_from_netlbl(sk, family, skb); 4328 if (skp != NULL) 4329 s = skp->smk_secid; 4330 break; 4331 case PF_INET6: 4332 #ifdef SMACK_IPV6_SECMARK_LABELING 4333 skp = smack_from_skb(skb); 4334 if (skp) 4335 s = skp->smk_secid; 4336 #endif 4337 break; 4338 } 4339 *secid = s; 4340 if (s == 0) 4341 return -EINVAL; 4342 return 0; 4343 } 4344 4345 /** 4346 * smack_sock_graft - Initialize a newly created socket with an existing sock 4347 * @sk: child sock 4348 * @parent: parent socket 4349 * 4350 * Set the smk_{in,out} state of an existing sock based on the process that 4351 * is creating the new socket. 4352 */ 4353 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4354 { 4355 struct socket_smack *ssp; 4356 struct smack_known *skp = smk_of_current(); 4357 4358 if (sk == NULL || 4359 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4360 return; 4361 4362 ssp = smack_sock(sk); 4363 ssp->smk_in = skp; 4364 ssp->smk_out = skp; 4365 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4366 } 4367 4368 /** 4369 * smack_inet_conn_request - Smack access check on connect 4370 * @sk: socket involved 4371 * @skb: packet 4372 * @req: unused 4373 * 4374 * Returns 0 if a task with the packet label could write to 4375 * the socket, otherwise an error code 4376 */ 4377 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4378 struct request_sock *req) 4379 { 4380 u16 family = sk->sk_family; 4381 struct smack_known *skp; 4382 struct socket_smack *ssp = smack_sock(sk); 4383 struct sockaddr_in addr; 4384 struct iphdr *hdr; 4385 struct smack_known *hskp; 4386 int rc; 4387 struct smk_audit_info ad; 4388 #ifdef CONFIG_AUDIT 4389 struct lsm_network_audit net; 4390 #endif 4391 4392 #if IS_ENABLED(CONFIG_IPV6) 4393 if (family == PF_INET6) { 4394 /* 4395 * Handle mapped IPv4 packets arriving 4396 * via IPv6 sockets. Don't set up netlabel 4397 * processing on IPv6. 4398 */ 4399 if (skb->protocol == htons(ETH_P_IP)) 4400 family = PF_INET; 4401 else 4402 return 0; 4403 } 4404 #endif /* CONFIG_IPV6 */ 4405 4406 /* 4407 * If there is a secmark use it rather than the CIPSO label. 4408 * If there is no secmark fall back to CIPSO. 4409 * The secmark is assumed to reflect policy better. 4410 */ 4411 skp = smack_from_skb(skb); 4412 if (skp == NULL) { 4413 skp = smack_from_netlbl(sk, family, skb); 4414 if (skp == NULL) 4415 skp = &smack_known_huh; 4416 } 4417 4418 #ifdef CONFIG_AUDIT 4419 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4420 ad.a.u.net->family = family; 4421 ad.a.u.net->netif = skb->skb_iif; 4422 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4423 #endif 4424 /* 4425 * Receiving a packet requires that the other end be able to write 4426 * here. Read access is not required. 4427 */ 4428 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4429 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4430 if (rc != 0) 4431 return rc; 4432 4433 /* 4434 * Save the peer's label in the request_sock so we can later setup 4435 * smk_packet in the child socket so that SO_PEERCRED can report it. 4436 */ 4437 req->peer_secid = skp->smk_secid; 4438 4439 /* 4440 * We need to decide if we want to label the incoming connection here 4441 * if we do we only need to label the request_sock and the stack will 4442 * propagate the wire-label to the sock when it is created. 4443 */ 4444 hdr = ip_hdr(skb); 4445 addr.sin_addr.s_addr = hdr->saddr; 4446 rcu_read_lock(); 4447 hskp = smack_ipv4host_label(&addr); 4448 rcu_read_unlock(); 4449 4450 if (hskp == NULL) 4451 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4452 else 4453 netlbl_req_delattr(req); 4454 4455 return rc; 4456 } 4457 4458 /** 4459 * smack_inet_csk_clone - Copy the connection information to the new socket 4460 * @sk: the new socket 4461 * @req: the connection's request_sock 4462 * 4463 * Transfer the connection's peer label to the newly created socket. 4464 */ 4465 static void smack_inet_csk_clone(struct sock *sk, 4466 const struct request_sock *req) 4467 { 4468 struct socket_smack *ssp = smack_sock(sk); 4469 struct smack_known *skp; 4470 4471 if (req->peer_secid != 0) { 4472 skp = smack_from_secid(req->peer_secid); 4473 ssp->smk_packet = skp; 4474 } else 4475 ssp->smk_packet = NULL; 4476 } 4477 4478 /* 4479 * Key management security hooks 4480 * 4481 * Casey has not tested key support very heavily. 4482 * The permission check is most likely too restrictive. 4483 * If you care about keys please have a look. 4484 */ 4485 #ifdef CONFIG_KEYS 4486 4487 /** 4488 * smack_key_alloc - Set the key security blob 4489 * @key: object 4490 * @cred: the credentials to use 4491 * @flags: unused 4492 * 4493 * No allocation required 4494 * 4495 * Returns 0 4496 */ 4497 static int smack_key_alloc(struct key *key, const struct cred *cred, 4498 unsigned long flags) 4499 { 4500 struct smack_known **blob = smack_key(key); 4501 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4502 4503 *blob = skp; 4504 return 0; 4505 } 4506 4507 /** 4508 * smack_key_permission - Smack access on a key 4509 * @key_ref: gets to the object 4510 * @cred: the credentials to use 4511 * @need_perm: requested key permission 4512 * 4513 * Return 0 if the task has read and write to the object, 4514 * an error code otherwise 4515 */ 4516 static int smack_key_permission(key_ref_t key_ref, 4517 const struct cred *cred, 4518 enum key_need_perm need_perm) 4519 { 4520 struct smack_known **blob; 4521 struct smack_known *skp; 4522 struct key *keyp; 4523 struct smk_audit_info ad; 4524 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4525 int request = 0; 4526 int rc; 4527 4528 /* 4529 * Validate requested permissions 4530 */ 4531 switch (need_perm) { 4532 case KEY_NEED_READ: 4533 case KEY_NEED_SEARCH: 4534 case KEY_NEED_VIEW: 4535 request |= MAY_READ; 4536 break; 4537 case KEY_NEED_WRITE: 4538 case KEY_NEED_LINK: 4539 case KEY_NEED_SETATTR: 4540 request |= MAY_WRITE; 4541 break; 4542 case KEY_NEED_UNSPECIFIED: 4543 case KEY_NEED_UNLINK: 4544 case KEY_SYSADMIN_OVERRIDE: 4545 case KEY_AUTHTOKEN_OVERRIDE: 4546 case KEY_DEFER_PERM_CHECK: 4547 return 0; 4548 default: 4549 return -EINVAL; 4550 } 4551 4552 keyp = key_ref_to_ptr(key_ref); 4553 if (keyp == NULL) 4554 return -EINVAL; 4555 /* 4556 * If the key hasn't been initialized give it access so that 4557 * it may do so. 4558 */ 4559 blob = smack_key(keyp); 4560 skp = *blob; 4561 if (skp == NULL) 4562 return 0; 4563 /* 4564 * This should not occur 4565 */ 4566 if (tkp == NULL) 4567 return -EACCES; 4568 4569 if (smack_privileged(CAP_MAC_OVERRIDE)) 4570 return 0; 4571 4572 #ifdef CONFIG_AUDIT 4573 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4574 ad.a.u.key_struct.key = keyp->serial; 4575 ad.a.u.key_struct.key_desc = keyp->description; 4576 #endif 4577 rc = smk_access(tkp, skp, request, &ad); 4578 rc = smk_bu_note("key access", tkp, skp, request, rc); 4579 return rc; 4580 } 4581 4582 /* 4583 * smack_key_getsecurity - Smack label tagging the key 4584 * @key points to the key to be queried 4585 * @_buffer points to a pointer that should be set to point to the 4586 * resulting string (if no label or an error occurs). 4587 * Return the length of the string (including terminating NUL) or -ve if 4588 * an error. 4589 * May also return 0 (and a NULL buffer pointer) if there is no label. 4590 */ 4591 static int smack_key_getsecurity(struct key *key, char **_buffer) 4592 { 4593 struct smack_known **blob = smack_key(key); 4594 struct smack_known *skp = *blob; 4595 size_t length; 4596 char *copy; 4597 4598 if (skp == NULL) { 4599 *_buffer = NULL; 4600 return 0; 4601 } 4602 4603 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4604 if (copy == NULL) 4605 return -ENOMEM; 4606 length = strlen(copy) + 1; 4607 4608 *_buffer = copy; 4609 return length; 4610 } 4611 4612 4613 #ifdef CONFIG_KEY_NOTIFICATIONS 4614 /** 4615 * smack_watch_key - Smack access to watch a key for notifications. 4616 * @key: The key to be watched 4617 * 4618 * Return 0 if the @watch->cred has permission to read from the key object and 4619 * an error otherwise. 4620 */ 4621 static int smack_watch_key(struct key *key) 4622 { 4623 struct smk_audit_info ad; 4624 struct smack_known *tkp = smk_of_current(); 4625 struct smack_known **blob = smack_key(key); 4626 int rc; 4627 4628 /* 4629 * This should not occur 4630 */ 4631 if (tkp == NULL) 4632 return -EACCES; 4633 4634 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4635 return 0; 4636 4637 #ifdef CONFIG_AUDIT 4638 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4639 ad.a.u.key_struct.key = key->serial; 4640 ad.a.u.key_struct.key_desc = key->description; 4641 #endif 4642 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4643 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4644 return rc; 4645 } 4646 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4647 #endif /* CONFIG_KEYS */ 4648 4649 #ifdef CONFIG_WATCH_QUEUE 4650 /** 4651 * smack_post_notification - Smack access to post a notification to a queue 4652 * @w_cred: The credentials of the watcher. 4653 * @cred: The credentials of the event source (may be NULL). 4654 * @n: The notification message to be posted. 4655 */ 4656 static int smack_post_notification(const struct cred *w_cred, 4657 const struct cred *cred, 4658 struct watch_notification *n) 4659 { 4660 struct smk_audit_info ad; 4661 struct smack_known *subj, *obj; 4662 int rc; 4663 4664 /* Always let maintenance notifications through. */ 4665 if (n->type == WATCH_TYPE_META) 4666 return 0; 4667 4668 if (!cred) 4669 return 0; 4670 subj = smk_of_task(smack_cred(cred)); 4671 obj = smk_of_task(smack_cred(w_cred)); 4672 4673 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4674 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4675 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4676 return rc; 4677 } 4678 #endif /* CONFIG_WATCH_QUEUE */ 4679 4680 /* 4681 * Smack Audit hooks 4682 * 4683 * Audit requires a unique representation of each Smack specific 4684 * rule. This unique representation is used to distinguish the 4685 * object to be audited from remaining kernel objects and also 4686 * works as a glue between the audit hooks. 4687 * 4688 * Since repository entries are added but never deleted, we'll use 4689 * the smack_known label address related to the given audit rule as 4690 * the needed unique representation. This also better fits the smack 4691 * model where nearly everything is a label. 4692 */ 4693 #ifdef CONFIG_AUDIT 4694 4695 /** 4696 * smack_audit_rule_init - Initialize a smack audit rule 4697 * @field: audit rule fields given from user-space (audit.h) 4698 * @op: required testing operator (=, !=, >, <, ...) 4699 * @rulestr: smack label to be audited 4700 * @vrule: pointer to save our own audit rule representation 4701 * @gfp: type of the memory for the allocation 4702 * 4703 * Prepare to audit cases where (@field @op @rulestr) is true. 4704 * The label to be audited is created if necessay. 4705 */ 4706 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4707 gfp_t gfp) 4708 { 4709 struct smack_known *skp; 4710 char **rule = (char **)vrule; 4711 *rule = NULL; 4712 4713 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4714 return -EINVAL; 4715 4716 if (op != Audit_equal && op != Audit_not_equal) 4717 return -EINVAL; 4718 4719 skp = smk_import_entry(rulestr, 0); 4720 if (IS_ERR(skp)) 4721 return PTR_ERR(skp); 4722 4723 *rule = skp->smk_known; 4724 4725 return 0; 4726 } 4727 4728 /** 4729 * smack_audit_rule_known - Distinguish Smack audit rules 4730 * @krule: rule of interest, in Audit kernel representation format 4731 * 4732 * This is used to filter Smack rules from remaining Audit ones. 4733 * If it's proved that this rule belongs to us, the 4734 * audit_rule_match hook will be called to do the final judgement. 4735 */ 4736 static int smack_audit_rule_known(struct audit_krule *krule) 4737 { 4738 struct audit_field *f; 4739 int i; 4740 4741 for (i = 0; i < krule->field_count; i++) { 4742 f = &krule->fields[i]; 4743 4744 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4745 return 1; 4746 } 4747 4748 return 0; 4749 } 4750 4751 /** 4752 * smack_audit_rule_match - Audit given object ? 4753 * @prop: security id for identifying the object to test 4754 * @field: audit rule flags given from user-space 4755 * @op: required testing operator 4756 * @vrule: smack internal rule presentation 4757 * 4758 * The core Audit hook. It's used to take the decision of 4759 * whether to audit or not to audit a given object. 4760 */ 4761 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4762 void *vrule) 4763 { 4764 struct smack_known *skp = prop->smack.skp; 4765 char *rule = vrule; 4766 4767 if (unlikely(!rule)) { 4768 WARN_ONCE(1, "Smack: missing rule\n"); 4769 return -ENOENT; 4770 } 4771 4772 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4773 return 0; 4774 4775 /* 4776 * No need to do string comparisons. If a match occurs, 4777 * both pointers will point to the same smack_known 4778 * label. 4779 */ 4780 if (op == Audit_equal) 4781 return (rule == skp->smk_known); 4782 if (op == Audit_not_equal) 4783 return (rule != skp->smk_known); 4784 4785 return 0; 4786 } 4787 4788 /* 4789 * There is no need for a smack_audit_rule_free hook. 4790 * No memory was allocated. 4791 */ 4792 4793 #endif /* CONFIG_AUDIT */ 4794 4795 /** 4796 * smack_ismaclabel - check if xattr @name references a smack MAC label 4797 * @name: Full xattr name to check. 4798 */ 4799 static int smack_ismaclabel(const char *name) 4800 { 4801 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4802 } 4803 4804 /** 4805 * smack_to_secctx - fill a lsm_context 4806 * @skp: Smack label 4807 * @cp: destination 4808 * 4809 * Fill the passed @cp and return the length of the string 4810 */ 4811 static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4812 { 4813 int len = strlen(skp->smk_known); 4814 4815 if (cp) { 4816 cp->context = skp->smk_known; 4817 cp->len = len; 4818 cp->id = LSM_ID_SMACK; 4819 } 4820 return len; 4821 } 4822 4823 /** 4824 * smack_secid_to_secctx - return the smack label for a secid 4825 * @secid: incoming integer 4826 * @cp: destination 4827 * 4828 * Exists for networking code. 4829 */ 4830 static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4831 { 4832 return smack_to_secctx(smack_from_secid(secid), cp); 4833 } 4834 4835 /** 4836 * smack_lsmprop_to_secctx - return the smack label 4837 * @prop: includes incoming Smack data 4838 * @cp: destination 4839 * 4840 * Exists for audit code. 4841 */ 4842 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4843 struct lsm_context *cp) 4844 { 4845 return smack_to_secctx(prop->smack.skp, cp); 4846 } 4847 4848 /** 4849 * smack_secctx_to_secid - return the secid for a smack label 4850 * @secdata: smack label 4851 * @seclen: how long result is 4852 * @secid: outgoing integer 4853 * 4854 * Exists for audit and networking code. 4855 */ 4856 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4857 { 4858 struct smack_known *skp = smk_find_entry(secdata); 4859 4860 if (skp) 4861 *secid = skp->smk_secid; 4862 else 4863 *secid = 0; 4864 return 0; 4865 } 4866 4867 /* 4868 * There used to be a smack_release_secctx hook 4869 * that did nothing back when hooks were in a vector. 4870 * Now that there's a list such a hook adds cost. 4871 */ 4872 4873 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4874 { 4875 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4876 ctxlen, 0); 4877 } 4878 4879 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4880 { 4881 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4882 ctx, ctxlen, 0, NULL); 4883 } 4884 4885 static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4886 { 4887 struct smack_known *skp = smk_of_inode(inode); 4888 4889 cp->context = skp->smk_known; 4890 cp->len = strlen(skp->smk_known); 4891 cp->id = LSM_ID_SMACK; 4892 return 0; 4893 } 4894 4895 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4896 { 4897 4898 struct task_smack *tsp; 4899 struct smack_known *skp; 4900 struct inode_smack *isp; 4901 struct cred *new_creds = *new; 4902 4903 if (new_creds == NULL) { 4904 new_creds = prepare_creds(); 4905 if (new_creds == NULL) 4906 return -ENOMEM; 4907 } 4908 4909 tsp = smack_cred(new_creds); 4910 4911 /* 4912 * Get label from overlay inode and set it in create_sid 4913 */ 4914 isp = smack_inode(d_inode(dentry)); 4915 skp = isp->smk_inode; 4916 tsp->smk_task = skp; 4917 *new = new_creds; 4918 return 0; 4919 } 4920 4921 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4922 { 4923 /* 4924 * Return -ECANCELED if this is the smack access Smack attribute. 4925 */ 4926 if (!strcmp(name, XATTR_NAME_SMACK)) 4927 return -ECANCELED; 4928 4929 return -EOPNOTSUPP; 4930 } 4931 4932 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4933 struct qstr *name, 4934 const struct cred *old, 4935 struct cred *new) 4936 { 4937 struct task_smack *otsp = smack_cred(old); 4938 struct task_smack *ntsp = smack_cred(new); 4939 struct inode_smack *isp; 4940 int may; 4941 4942 /* 4943 * Use the process credential unless all of 4944 * the transmuting criteria are met 4945 */ 4946 ntsp->smk_task = otsp->smk_task; 4947 4948 /* 4949 * the attribute of the containing directory 4950 */ 4951 isp = smack_inode(d_inode(dentry->d_parent)); 4952 4953 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4954 rcu_read_lock(); 4955 may = smk_access_entry(otsp->smk_task->smk_known, 4956 isp->smk_inode->smk_known, 4957 &otsp->smk_task->smk_rules); 4958 rcu_read_unlock(); 4959 4960 /* 4961 * If the directory is transmuting and the rule 4962 * providing access is transmuting use the containing 4963 * directory label instead of the process label. 4964 */ 4965 if (may > 0 && (may & MAY_TRANSMUTE)) { 4966 ntsp->smk_task = isp->smk_inode; 4967 ntsp->smk_transmuted = ntsp->smk_task; 4968 } 4969 } 4970 return 0; 4971 } 4972 4973 #ifdef CONFIG_IO_URING 4974 /** 4975 * smack_uring_override_creds - Is io_uring cred override allowed? 4976 * @new: the target creds 4977 * 4978 * Check to see if the current task is allowed to override it's credentials 4979 * to service an io_uring operation. 4980 */ 4981 static int smack_uring_override_creds(const struct cred *new) 4982 { 4983 struct task_smack *tsp = smack_cred(current_cred()); 4984 struct task_smack *nsp = smack_cred(new); 4985 4986 /* 4987 * Allow the degenerate case where the new Smack value is 4988 * the same as the current Smack value. 4989 */ 4990 if (tsp->smk_task == nsp->smk_task) 4991 return 0; 4992 4993 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4994 return 0; 4995 4996 return -EPERM; 4997 } 4998 4999 /** 5000 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5001 * 5002 * Check to see if the current task is allowed to create a new io_uring 5003 * kernel polling thread. 5004 */ 5005 static int smack_uring_sqpoll(void) 5006 { 5007 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5008 return 0; 5009 5010 return -EPERM; 5011 } 5012 5013 /** 5014 * smack_uring_cmd - check on file operations for io_uring 5015 * @ioucmd: the command in question 5016 * 5017 * Make a best guess about whether a io_uring "command" should 5018 * be allowed. Use the same logic used for determining if the 5019 * file could be opened for read in the absence of better criteria. 5020 */ 5021 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5022 { 5023 struct file *file = ioucmd->file; 5024 struct smk_audit_info ad; 5025 struct task_smack *tsp; 5026 struct inode *inode; 5027 int rc; 5028 5029 if (!file) 5030 return -EINVAL; 5031 5032 tsp = smack_cred(file->f_cred); 5033 inode = file_inode(file); 5034 5035 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5036 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5037 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5038 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5039 5040 return rc; 5041 } 5042 5043 #endif /* CONFIG_IO_URING */ 5044 5045 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5046 .lbs_cred = sizeof(struct task_smack), 5047 .lbs_file = sizeof(struct smack_known *), 5048 .lbs_inode = sizeof(struct inode_smack), 5049 .lbs_ipc = sizeof(struct smack_known *), 5050 .lbs_key = sizeof(struct smack_known *), 5051 .lbs_msg_msg = sizeof(struct smack_known *), 5052 .lbs_sock = sizeof(struct socket_smack), 5053 .lbs_superblock = sizeof(struct superblock_smack), 5054 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5055 }; 5056 5057 static const struct lsm_id smack_lsmid = { 5058 .name = "smack", 5059 .id = LSM_ID_SMACK, 5060 }; 5061 5062 static struct security_hook_list smack_hooks[] __ro_after_init = { 5063 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5064 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5065 LSM_HOOK_INIT(syslog, smack_syslog), 5066 5067 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5068 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5069 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5070 5071 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5072 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5073 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5074 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5075 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5076 5077 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5078 5079 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5080 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5081 LSM_HOOK_INIT(inode_link, smack_inode_link), 5082 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5083 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5084 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5085 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5086 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5087 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5088 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5089 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5090 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5091 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5092 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5093 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5094 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5095 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5096 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5097 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5098 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5099 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5100 5101 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5102 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5103 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5104 LSM_HOOK_INIT(file_lock, smack_file_lock), 5105 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5106 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5107 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5108 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5109 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5110 LSM_HOOK_INIT(file_receive, smack_file_receive), 5111 5112 LSM_HOOK_INIT(file_open, smack_file_open), 5113 5114 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5115 LSM_HOOK_INIT(cred_free, smack_cred_free), 5116 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5117 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5118 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5119 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5120 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5121 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5122 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5123 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5124 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5125 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5126 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5127 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5128 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5129 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5130 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5131 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5132 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5133 LSM_HOOK_INIT(task_kill, smack_task_kill), 5134 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5135 5136 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5137 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5138 5139 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5140 5141 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5142 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5143 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5144 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5145 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5146 5147 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5148 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5149 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5150 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5151 5152 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5153 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5154 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5155 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5156 5157 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5158 5159 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5160 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5161 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5162 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5163 5164 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5165 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5166 5167 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5168 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5169 #ifdef SMACK_IPV6_PORT_LABELING 5170 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5171 #endif 5172 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5173 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5174 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5175 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5176 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5177 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5178 #ifdef SMACK_IPV6_PORT_LABELING 5179 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5180 #endif 5181 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5182 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5183 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5184 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5185 5186 /* key management security hooks */ 5187 #ifdef CONFIG_KEYS 5188 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5189 LSM_HOOK_INIT(key_permission, smack_key_permission), 5190 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5191 #ifdef CONFIG_KEY_NOTIFICATIONS 5192 LSM_HOOK_INIT(watch_key, smack_watch_key), 5193 #endif 5194 #endif /* CONFIG_KEYS */ 5195 5196 #ifdef CONFIG_WATCH_QUEUE 5197 LSM_HOOK_INIT(post_notification, smack_post_notification), 5198 #endif 5199 5200 /* Audit hooks */ 5201 #ifdef CONFIG_AUDIT 5202 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5203 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5204 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5205 #endif /* CONFIG_AUDIT */ 5206 5207 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5208 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5209 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5210 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5211 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5212 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5213 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5214 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5215 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5216 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5217 #ifdef CONFIG_IO_URING 5218 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5219 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5220 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5221 #endif 5222 }; 5223 5224 5225 static __init void init_smack_known_list(void) 5226 { 5227 /* 5228 * Initialize rule list locks 5229 */ 5230 mutex_init(&smack_known_huh.smk_rules_lock); 5231 mutex_init(&smack_known_hat.smk_rules_lock); 5232 mutex_init(&smack_known_floor.smk_rules_lock); 5233 mutex_init(&smack_known_star.smk_rules_lock); 5234 mutex_init(&smack_known_web.smk_rules_lock); 5235 /* 5236 * Initialize rule lists 5237 */ 5238 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5239 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5240 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5241 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5242 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5243 /* 5244 * Create the known labels list 5245 */ 5246 smk_insert_entry(&smack_known_huh); 5247 smk_insert_entry(&smack_known_hat); 5248 smk_insert_entry(&smack_known_star); 5249 smk_insert_entry(&smack_known_floor); 5250 smk_insert_entry(&smack_known_web); 5251 } 5252 5253 /** 5254 * smack_init - initialize the smack system 5255 * 5256 * Returns 0 on success, -ENOMEM is there's no memory 5257 */ 5258 static __init int smack_init(void) 5259 { 5260 struct cred *cred = (struct cred *) current->cred; 5261 struct task_smack *tsp; 5262 5263 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5264 if (!smack_rule_cache) 5265 return -ENOMEM; 5266 5267 /* 5268 * Set the security state for the initial task. 5269 */ 5270 tsp = smack_cred(cred); 5271 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5272 5273 /* 5274 * Register with LSM 5275 */ 5276 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5277 smack_enabled = 1; 5278 5279 pr_info("Smack: Initializing.\n"); 5280 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5281 pr_info("Smack: Netfilter enabled.\n"); 5282 #endif 5283 #ifdef SMACK_IPV6_PORT_LABELING 5284 pr_info("Smack: IPv6 port labeling enabled.\n"); 5285 #endif 5286 #ifdef SMACK_IPV6_SECMARK_LABELING 5287 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5288 #endif 5289 5290 /* initialize the smack_known_list */ 5291 init_smack_known_list(); 5292 5293 return 0; 5294 } 5295 5296 /* 5297 * Smack requires early initialization in order to label 5298 * all processes and objects when they are created. 5299 */ 5300 DEFINE_LSM(smack) = { 5301 .name = "smack", 5302 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5303 .blobs = &smack_blob_sizes, 5304 .init = smack_init, 5305 }; 5306