1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Authors:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
9 *
10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
12 * Paul Moore <paul@paul-moore.com>
13 * Copyright (C) 2010 Nokia Corporation
14 * Copyright (C) 2011 Intel Corporation.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
20
21 #include <linux/xattr.h>
22 #include <linux/pagemap.h>
23 #include <linux/mount.h>
24 #include <linux/stat.h>
25 #include <linux/kd.h>
26 #include <asm/ioctls.h>
27 #include <linux/ip.h>
28 #include <linux/tcp.h>
29 #include <linux/udp.h>
30 #include <linux/dccp.h>
31 #include <linux/slab.h>
32 #include <linux/mutex.h>
33 #include <linux/pipe_fs_i.h>
34 #include <net/cipso_ipv4.h>
35 #include <net/ip.h>
36 #include <net/ipv6.h>
37 #include <linux/audit.h>
38 #include <linux/magic.h>
39 #include <linux/dcache.h>
40 #include <linux/personality.h>
41 #include <linux/msg.h>
42 #include <linux/shm.h>
43 #include <linux/binfmts.h>
44 #include "smack.h"
45
46 #define TRANS_TRUE "TRUE"
47 #define TRANS_TRUE_SIZE 4
48
49 #define SMK_CONNECTING 0
50 #define SMK_RECEIVING 1
51 #define SMK_SENDING 2
52
53 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
54 LIST_HEAD(smk_ipv6_port_list);
55 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
56 static struct kmem_cache *smack_inode_cache;
57 int smack_enabled;
58
59 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
60 static char *smk_bu_mess[] = {
61 "Bringup Error", /* Unused */
62 "Bringup", /* SMACK_BRINGUP_ALLOW */
63 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */
64 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */
65 };
66
smk_bu_mode(int mode,char * s)67 static void smk_bu_mode(int mode, char *s)
68 {
69 int i = 0;
70
71 if (mode & MAY_READ)
72 s[i++] = 'r';
73 if (mode & MAY_WRITE)
74 s[i++] = 'w';
75 if (mode & MAY_EXEC)
76 s[i++] = 'x';
77 if (mode & MAY_APPEND)
78 s[i++] = 'a';
79 if (mode & MAY_TRANSMUTE)
80 s[i++] = 't';
81 if (mode & MAY_LOCK)
82 s[i++] = 'l';
83 if (i == 0)
84 s[i++] = '-';
85 s[i] = '\0';
86 }
87 #endif
88
89 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_note(char * note,struct smack_known * sskp,struct smack_known * oskp,int mode,int rc)90 static int smk_bu_note(char *note, struct smack_known *sskp,
91 struct smack_known *oskp, int mode, int rc)
92 {
93 char acc[SMK_NUM_ACCESS_TYPE + 1];
94
95 if (rc <= 0)
96 return rc;
97 if (rc > SMACK_UNCONFINED_OBJECT)
98 rc = 0;
99
100 smk_bu_mode(mode, acc);
101 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc],
102 sskp->smk_known, oskp->smk_known, acc, note);
103 return 0;
104 }
105 #else
106 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC)
107 #endif
108
109 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_current(char * note,struct smack_known * oskp,int mode,int rc)110 static int smk_bu_current(char *note, struct smack_known *oskp,
111 int mode, int rc)
112 {
113 struct task_smack *tsp = current_security();
114 char acc[SMK_NUM_ACCESS_TYPE + 1];
115
116 if (rc <= 0)
117 return rc;
118 if (rc > SMACK_UNCONFINED_OBJECT)
119 rc = 0;
120
121 smk_bu_mode(mode, acc);
122 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc],
123 tsp->smk_task->smk_known, oskp->smk_known,
124 acc, current->comm, note);
125 return 0;
126 }
127 #else
128 #define smk_bu_current(note, oskp, mode, RC) (RC)
129 #endif
130
131 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_task(struct task_struct * otp,int mode,int rc)132 static int smk_bu_task(struct task_struct *otp, int mode, int rc)
133 {
134 struct task_smack *tsp = current_security();
135 struct smack_known *smk_task = smk_of_task_struct(otp);
136 char acc[SMK_NUM_ACCESS_TYPE + 1];
137
138 if (rc <= 0)
139 return rc;
140 if (rc > SMACK_UNCONFINED_OBJECT)
141 rc = 0;
142
143 smk_bu_mode(mode, acc);
144 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc],
145 tsp->smk_task->smk_known, smk_task->smk_known, acc,
146 current->comm, otp->comm);
147 return 0;
148 }
149 #else
150 #define smk_bu_task(otp, mode, RC) (RC)
151 #endif
152
153 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_inode(struct inode * inode,int mode,int rc)154 static int smk_bu_inode(struct inode *inode, int mode, int rc)
155 {
156 struct task_smack *tsp = current_security();
157 struct inode_smack *isp = inode->i_security;
158 char acc[SMK_NUM_ACCESS_TYPE + 1];
159
160 if (isp->smk_flags & SMK_INODE_IMPURE)
161 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
162 inode->i_sb->s_id, inode->i_ino, current->comm);
163
164 if (rc <= 0)
165 return rc;
166 if (rc > SMACK_UNCONFINED_OBJECT)
167 rc = 0;
168 if (rc == SMACK_UNCONFINED_SUBJECT &&
169 (mode & (MAY_WRITE | MAY_APPEND)))
170 isp->smk_flags |= SMK_INODE_IMPURE;
171
172 smk_bu_mode(mode, acc);
173
174 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc],
175 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc,
176 inode->i_sb->s_id, inode->i_ino, current->comm);
177 return 0;
178 }
179 #else
180 #define smk_bu_inode(inode, mode, RC) (RC)
181 #endif
182
183 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_file(struct file * file,int mode,int rc)184 static int smk_bu_file(struct file *file, int mode, int rc)
185 {
186 struct task_smack *tsp = current_security();
187 struct smack_known *sskp = tsp->smk_task;
188 struct inode *inode = file_inode(file);
189 struct inode_smack *isp = inode->i_security;
190 char acc[SMK_NUM_ACCESS_TYPE + 1];
191
192 if (isp->smk_flags & SMK_INODE_IMPURE)
193 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
194 inode->i_sb->s_id, inode->i_ino, current->comm);
195
196 if (rc <= 0)
197 return rc;
198 if (rc > SMACK_UNCONFINED_OBJECT)
199 rc = 0;
200
201 smk_bu_mode(mode, acc);
202 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
203 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
204 inode->i_sb->s_id, inode->i_ino, file,
205 current->comm);
206 return 0;
207 }
208 #else
209 #define smk_bu_file(file, mode, RC) (RC)
210 #endif
211
212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
smk_bu_credfile(const struct cred * cred,struct file * file,int mode,int rc)213 static int smk_bu_credfile(const struct cred *cred, struct file *file,
214 int mode, int rc)
215 {
216 struct task_smack *tsp = cred->security;
217 struct smack_known *sskp = tsp->smk_task;
218 struct inode *inode = file->f_inode;
219 struct inode_smack *isp = inode->i_security;
220 char acc[SMK_NUM_ACCESS_TYPE + 1];
221
222 if (isp->smk_flags & SMK_INODE_IMPURE)
223 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
224 inode->i_sb->s_id, inode->i_ino, current->comm);
225
226 if (rc <= 0)
227 return rc;
228 if (rc > SMACK_UNCONFINED_OBJECT)
229 rc = 0;
230
231 smk_bu_mode(mode, acc);
232 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
233 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
234 inode->i_sb->s_id, inode->i_ino, file,
235 current->comm);
236 return 0;
237 }
238 #else
239 #define smk_bu_credfile(cred, file, mode, RC) (RC)
240 #endif
241
242 /**
243 * smk_fetch - Fetch the smack label from a file.
244 * @name: type of the label (attribute)
245 * @ip: a pointer to the inode
246 * @dp: a pointer to the dentry
247 *
248 * Returns a pointer to the master list entry for the Smack label
249 * or NULL if there was no label to fetch.
250 */
smk_fetch(const char * name,struct inode * ip,struct dentry * dp)251 static struct smack_known *smk_fetch(const char *name, struct inode *ip,
252 struct dentry *dp)
253 {
254 int rc;
255 char *buffer;
256 struct smack_known *skp = NULL;
257
258 if (ip->i_op->getxattr == NULL)
259 return NULL;
260
261 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL);
262 if (buffer == NULL)
263 return NULL;
264
265 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL);
266 if (rc > 0)
267 skp = smk_import_entry(buffer, rc);
268
269 kfree(buffer);
270
271 return skp;
272 }
273
274 /**
275 * new_inode_smack - allocate an inode security blob
276 * @skp: a pointer to the Smack label entry to use in the blob
277 *
278 * Returns the new blob or NULL if there's no memory available
279 */
new_inode_smack(struct smack_known * skp)280 struct inode_smack *new_inode_smack(struct smack_known *skp)
281 {
282 struct inode_smack *isp;
283
284 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS);
285 if (isp == NULL)
286 return NULL;
287
288 isp->smk_inode = skp;
289 isp->smk_flags = 0;
290 mutex_init(&isp->smk_lock);
291
292 return isp;
293 }
294
295 /**
296 * new_task_smack - allocate a task security blob
297 * @task: a pointer to the Smack label for the running task
298 * @forked: a pointer to the Smack label for the forked task
299 * @gfp: type of the memory for the allocation
300 *
301 * Returns the new blob or NULL if there's no memory available
302 */
new_task_smack(struct smack_known * task,struct smack_known * forked,gfp_t gfp)303 static struct task_smack *new_task_smack(struct smack_known *task,
304 struct smack_known *forked, gfp_t gfp)
305 {
306 struct task_smack *tsp;
307
308 tsp = kzalloc(sizeof(struct task_smack), gfp);
309 if (tsp == NULL)
310 return NULL;
311
312 tsp->smk_task = task;
313 tsp->smk_forked = forked;
314 INIT_LIST_HEAD(&tsp->smk_rules);
315 mutex_init(&tsp->smk_rules_lock);
316
317 return tsp;
318 }
319
320 /**
321 * smk_copy_rules - copy a rule set
322 * @nhead: new rules header pointer
323 * @ohead: old rules header pointer
324 * @gfp: type of the memory for the allocation
325 *
326 * Returns 0 on success, -ENOMEM on error
327 */
smk_copy_rules(struct list_head * nhead,struct list_head * ohead,gfp_t gfp)328 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
329 gfp_t gfp)
330 {
331 struct smack_rule *nrp;
332 struct smack_rule *orp;
333 int rc = 0;
334
335 INIT_LIST_HEAD(nhead);
336
337 list_for_each_entry_rcu(orp, ohead, list) {
338 nrp = kzalloc(sizeof(struct smack_rule), gfp);
339 if (nrp == NULL) {
340 rc = -ENOMEM;
341 break;
342 }
343 *nrp = *orp;
344 list_add_rcu(&nrp->list, nhead);
345 }
346 return rc;
347 }
348
349 /**
350 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
351 * @mode - input mode in form of PTRACE_MODE_*
352 *
353 * Returns a converted MAY_* mode usable by smack rules
354 */
smk_ptrace_mode(unsigned int mode)355 static inline unsigned int smk_ptrace_mode(unsigned int mode)
356 {
357 if (mode & PTRACE_MODE_ATTACH)
358 return MAY_READWRITE;
359 if (mode & PTRACE_MODE_READ)
360 return MAY_READ;
361
362 return 0;
363 }
364
365 /**
366 * smk_ptrace_rule_check - helper for ptrace access
367 * @tracer: tracer process
368 * @tracee_known: label entry of the process that's about to be traced
369 * @mode: ptrace attachment mode (PTRACE_MODE_*)
370 * @func: name of the function that called us, used for audit
371 *
372 * Returns 0 on access granted, -error on error
373 */
smk_ptrace_rule_check(struct task_struct * tracer,struct smack_known * tracee_known,unsigned int mode,const char * func)374 static int smk_ptrace_rule_check(struct task_struct *tracer,
375 struct smack_known *tracee_known,
376 unsigned int mode, const char *func)
377 {
378 int rc;
379 struct smk_audit_info ad, *saip = NULL;
380 struct task_smack *tsp;
381 struct smack_known *tracer_known;
382
383 if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
384 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
385 smk_ad_setfield_u_tsk(&ad, tracer);
386 saip = &ad;
387 }
388
389 rcu_read_lock();
390 tsp = __task_cred(tracer)->security;
391 tracer_known = smk_of_task(tsp);
392
393 if ((mode & PTRACE_MODE_ATTACH) &&
394 (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
395 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
396 if (tracer_known->smk_known == tracee_known->smk_known)
397 rc = 0;
398 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
399 rc = -EACCES;
400 else if (capable(CAP_SYS_PTRACE))
401 rc = 0;
402 else
403 rc = -EACCES;
404
405 if (saip)
406 smack_log(tracer_known->smk_known,
407 tracee_known->smk_known,
408 0, rc, saip);
409
410 rcu_read_unlock();
411 return rc;
412 }
413
414 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
415 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
416
417 rcu_read_unlock();
418 return rc;
419 }
420
421 /*
422 * LSM hooks.
423 * We he, that is fun!
424 */
425
426 /**
427 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
428 * @ctp: child task pointer
429 * @mode: ptrace attachment mode (PTRACE_MODE_*)
430 *
431 * Returns 0 if access is OK, an error code otherwise
432 *
433 * Do the capability checks.
434 */
smack_ptrace_access_check(struct task_struct * ctp,unsigned int mode)435 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
436 {
437 int rc;
438 struct smack_known *skp;
439
440 rc = cap_ptrace_access_check(ctp, mode);
441 if (rc != 0)
442 return rc;
443
444 skp = smk_of_task_struct(ctp);
445
446 rc = smk_ptrace_rule_check(current, skp, mode, __func__);
447 return rc;
448 }
449
450 /**
451 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
452 * @ptp: parent task pointer
453 *
454 * Returns 0 if access is OK, an error code otherwise
455 *
456 * Do the capability checks, and require PTRACE_MODE_ATTACH.
457 */
smack_ptrace_traceme(struct task_struct * ptp)458 static int smack_ptrace_traceme(struct task_struct *ptp)
459 {
460 int rc;
461 struct smack_known *skp;
462
463 rc = cap_ptrace_traceme(ptp);
464 if (rc != 0)
465 return rc;
466
467 skp = smk_of_task(current_security());
468
469 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
470 return rc;
471 }
472
473 /**
474 * smack_syslog - Smack approval on syslog
475 * @type: message type
476 *
477 * Returns 0 on success, error code otherwise.
478 */
smack_syslog(int typefrom_file)479 static int smack_syslog(int typefrom_file)
480 {
481 int rc = 0;
482 struct smack_known *skp = smk_of_current();
483
484 if (smack_privileged(CAP_MAC_OVERRIDE))
485 return 0;
486
487 if (smack_syslog_label != NULL && smack_syslog_label != skp)
488 rc = -EACCES;
489
490 return rc;
491 }
492
493
494 /*
495 * Superblock Hooks.
496 */
497
498 /**
499 * smack_sb_alloc_security - allocate a superblock blob
500 * @sb: the superblock getting the blob
501 *
502 * Returns 0 on success or -ENOMEM on error.
503 */
smack_sb_alloc_security(struct super_block * sb)504 static int smack_sb_alloc_security(struct super_block *sb)
505 {
506 struct superblock_smack *sbsp;
507
508 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
509
510 if (sbsp == NULL)
511 return -ENOMEM;
512
513 sbsp->smk_root = &smack_known_floor;
514 sbsp->smk_default = &smack_known_floor;
515 sbsp->smk_floor = &smack_known_floor;
516 sbsp->smk_hat = &smack_known_hat;
517 /*
518 * smk_initialized will be zero from kzalloc.
519 */
520 sb->s_security = sbsp;
521
522 return 0;
523 }
524
525 /**
526 * smack_sb_free_security - free a superblock blob
527 * @sb: the superblock getting the blob
528 *
529 */
smack_sb_free_security(struct super_block * sb)530 static void smack_sb_free_security(struct super_block *sb)
531 {
532 kfree(sb->s_security);
533 sb->s_security = NULL;
534 }
535
536 /**
537 * smack_sb_copy_data - copy mount options data for processing
538 * @orig: where to start
539 * @smackopts: mount options string
540 *
541 * Returns 0 on success or -ENOMEM on error.
542 *
543 * Copy the Smack specific mount options out of the mount
544 * options list.
545 */
smack_sb_copy_data(char * orig,char * smackopts)546 static int smack_sb_copy_data(char *orig, char *smackopts)
547 {
548 char *cp, *commap, *otheropts, *dp;
549
550 otheropts = (char *)get_zeroed_page(GFP_KERNEL);
551 if (otheropts == NULL)
552 return -ENOMEM;
553
554 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) {
555 if (strstr(cp, SMK_FSDEFAULT) == cp)
556 dp = smackopts;
557 else if (strstr(cp, SMK_FSFLOOR) == cp)
558 dp = smackopts;
559 else if (strstr(cp, SMK_FSHAT) == cp)
560 dp = smackopts;
561 else if (strstr(cp, SMK_FSROOT) == cp)
562 dp = smackopts;
563 else if (strstr(cp, SMK_FSTRANS) == cp)
564 dp = smackopts;
565 else
566 dp = otheropts;
567
568 commap = strchr(cp, ',');
569 if (commap != NULL)
570 *commap = '\0';
571
572 if (*dp != '\0')
573 strcat(dp, ",");
574 strcat(dp, cp);
575 }
576
577 strcpy(orig, otheropts);
578 free_page((unsigned long)otheropts);
579
580 return 0;
581 }
582
583 /**
584 * smack_sb_kern_mount - Smack specific mount processing
585 * @sb: the file system superblock
586 * @flags: the mount flags
587 * @data: the smack mount options
588 *
589 * Returns 0 on success, an error code on failure
590 */
smack_sb_kern_mount(struct super_block * sb,int flags,void * data)591 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
592 {
593 struct dentry *root = sb->s_root;
594 struct inode *inode = d_backing_inode(root);
595 struct superblock_smack *sp = sb->s_security;
596 struct inode_smack *isp;
597 struct smack_known *skp;
598 char *op;
599 char *commap;
600 int transmute = 0;
601 int specified = 0;
602
603 if (sp->smk_initialized)
604 return 0;
605
606 sp->smk_initialized = 1;
607
608 for (op = data; op != NULL; op = commap) {
609 commap = strchr(op, ',');
610 if (commap != NULL)
611 *commap++ = '\0';
612
613 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) {
614 op += strlen(SMK_FSHAT);
615 skp = smk_import_entry(op, 0);
616 if (skp != NULL) {
617 sp->smk_hat = skp;
618 specified = 1;
619 }
620 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) {
621 op += strlen(SMK_FSFLOOR);
622 skp = smk_import_entry(op, 0);
623 if (skp != NULL) {
624 sp->smk_floor = skp;
625 specified = 1;
626 }
627 } else if (strncmp(op, SMK_FSDEFAULT,
628 strlen(SMK_FSDEFAULT)) == 0) {
629 op += strlen(SMK_FSDEFAULT);
630 skp = smk_import_entry(op, 0);
631 if (skp != NULL) {
632 sp->smk_default = skp;
633 specified = 1;
634 }
635 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) {
636 op += strlen(SMK_FSROOT);
637 skp = smk_import_entry(op, 0);
638 if (skp != NULL) {
639 sp->smk_root = skp;
640 specified = 1;
641 }
642 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) {
643 op += strlen(SMK_FSTRANS);
644 skp = smk_import_entry(op, 0);
645 if (skp != NULL) {
646 sp->smk_root = skp;
647 transmute = 1;
648 specified = 1;
649 }
650 }
651 }
652
653 if (!smack_privileged(CAP_MAC_ADMIN)) {
654 /*
655 * Unprivileged mounts don't get to specify Smack values.
656 */
657 if (specified)
658 return -EPERM;
659 /*
660 * Unprivileged mounts get root and default from the caller.
661 */
662 skp = smk_of_current();
663 sp->smk_root = skp;
664 sp->smk_default = skp;
665 }
666 /*
667 * Initialize the root inode.
668 */
669 isp = inode->i_security;
670 if (isp == NULL) {
671 isp = new_inode_smack(sp->smk_root);
672 if (isp == NULL)
673 return -ENOMEM;
674 inode->i_security = isp;
675 } else
676 isp->smk_inode = sp->smk_root;
677
678 if (transmute)
679 isp->smk_flags |= SMK_INODE_TRANSMUTE;
680
681 return 0;
682 }
683
684 /**
685 * smack_sb_statfs - Smack check on statfs
686 * @dentry: identifies the file system in question
687 *
688 * Returns 0 if current can read the floor of the filesystem,
689 * and error code otherwise
690 */
smack_sb_statfs(struct dentry * dentry)691 static int smack_sb_statfs(struct dentry *dentry)
692 {
693 struct superblock_smack *sbp = dentry->d_sb->s_security;
694 int rc;
695 struct smk_audit_info ad;
696
697 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
698 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
699
700 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
701 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc);
702 return rc;
703 }
704
705 /*
706 * BPRM hooks
707 */
708
709 /**
710 * smack_bprm_set_creds - set creds for exec
711 * @bprm: the exec information
712 *
713 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
714 */
smack_bprm_set_creds(struct linux_binprm * bprm)715 static int smack_bprm_set_creds(struct linux_binprm *bprm)
716 {
717 struct inode *inode = file_inode(bprm->file);
718 struct task_smack *bsp = bprm->cred->security;
719 struct inode_smack *isp;
720 int rc;
721
722 rc = cap_bprm_set_creds(bprm);
723 if (rc != 0)
724 return rc;
725
726 if (bprm->cred_prepared)
727 return 0;
728
729 isp = inode->i_security;
730 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
731 return 0;
732
733 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
734 struct task_struct *tracer;
735 rc = 0;
736
737 rcu_read_lock();
738 tracer = ptrace_parent(current);
739 if (likely(tracer != NULL))
740 rc = smk_ptrace_rule_check(tracer,
741 isp->smk_task,
742 PTRACE_MODE_ATTACH,
743 __func__);
744 rcu_read_unlock();
745
746 if (rc != 0)
747 return rc;
748 } else if (bprm->unsafe)
749 return -EPERM;
750
751 bsp->smk_task = isp->smk_task;
752 bprm->per_clear |= PER_CLEAR_ON_SETID;
753
754 return 0;
755 }
756
757 /**
758 * smack_bprm_committing_creds - Prepare to install the new credentials
759 * from bprm.
760 *
761 * @bprm: binprm for exec
762 */
smack_bprm_committing_creds(struct linux_binprm * bprm)763 static void smack_bprm_committing_creds(struct linux_binprm *bprm)
764 {
765 struct task_smack *bsp = bprm->cred->security;
766
767 if (bsp->smk_task != bsp->smk_forked)
768 current->pdeath_signal = 0;
769 }
770
771 /**
772 * smack_bprm_secureexec - Return the decision to use secureexec.
773 * @bprm: binprm for exec
774 *
775 * Returns 0 on success.
776 */
smack_bprm_secureexec(struct linux_binprm * bprm)777 static int smack_bprm_secureexec(struct linux_binprm *bprm)
778 {
779 struct task_smack *tsp = current_security();
780 int ret = cap_bprm_secureexec(bprm);
781
782 if (!ret && (tsp->smk_task != tsp->smk_forked))
783 ret = 1;
784
785 return ret;
786 }
787
788 /*
789 * Inode hooks
790 */
791
792 /**
793 * smack_inode_alloc_security - allocate an inode blob
794 * @inode: the inode in need of a blob
795 *
796 * Returns 0 if it gets a blob, -ENOMEM otherwise
797 */
smack_inode_alloc_security(struct inode * inode)798 static int smack_inode_alloc_security(struct inode *inode)
799 {
800 struct smack_known *skp = smk_of_current();
801
802 inode->i_security = new_inode_smack(skp);
803 if (inode->i_security == NULL)
804 return -ENOMEM;
805 return 0;
806 }
807
808 /**
809 * smack_inode_free_security - free an inode blob
810 * @inode: the inode with a blob
811 *
812 * Clears the blob pointer in inode
813 */
smack_inode_free_security(struct inode * inode)814 static void smack_inode_free_security(struct inode *inode)
815 {
816 kmem_cache_free(smack_inode_cache, inode->i_security);
817 inode->i_security = NULL;
818 }
819
820 /**
821 * smack_inode_init_security - copy out the smack from an inode
822 * @inode: the newly created inode
823 * @dir: containing directory object
824 * @qstr: unused
825 * @name: where to put the attribute name
826 * @value: where to put the attribute value
827 * @len: where to put the length of the attribute
828 *
829 * Returns 0 if it all works out, -ENOMEM if there's no memory
830 */
smack_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,const char ** name,void ** value,size_t * len)831 static int smack_inode_init_security(struct inode *inode, struct inode *dir,
832 const struct qstr *qstr, const char **name,
833 void **value, size_t *len)
834 {
835 struct inode_smack *issp = inode->i_security;
836 struct smack_known *skp = smk_of_current();
837 struct smack_known *isp = smk_of_inode(inode);
838 struct smack_known *dsp = smk_of_inode(dir);
839 int may;
840
841 if (name)
842 *name = XATTR_SMACK_SUFFIX;
843
844 if (value && len) {
845 rcu_read_lock();
846 may = smk_access_entry(skp->smk_known, dsp->smk_known,
847 &skp->smk_rules);
848 rcu_read_unlock();
849
850 /*
851 * If the access rule allows transmutation and
852 * the directory requests transmutation then
853 * by all means transmute.
854 * Mark the inode as changed.
855 */
856 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
857 smk_inode_transmutable(dir)) {
858 isp = dsp;
859 issp->smk_flags |= SMK_INODE_CHANGED;
860 }
861
862 *value = kstrdup(isp->smk_known, GFP_NOFS);
863 if (*value == NULL)
864 return -ENOMEM;
865
866 *len = strlen(isp->smk_known);
867 }
868
869 return 0;
870 }
871
872 /**
873 * smack_inode_link - Smack check on link
874 * @old_dentry: the existing object
875 * @dir: unused
876 * @new_dentry: the new object
877 *
878 * Returns 0 if access is permitted, an error code otherwise
879 */
smack_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)880 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
881 struct dentry *new_dentry)
882 {
883 struct smack_known *isp;
884 struct smk_audit_info ad;
885 int rc;
886
887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
888 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
889
890 isp = smk_of_inode(d_backing_inode(old_dentry));
891 rc = smk_curacc(isp, MAY_WRITE, &ad);
892 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc);
893
894 if (rc == 0 && d_is_positive(new_dentry)) {
895 isp = smk_of_inode(d_backing_inode(new_dentry));
896 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
897 rc = smk_curacc(isp, MAY_WRITE, &ad);
898 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc);
899 }
900
901 return rc;
902 }
903
904 /**
905 * smack_inode_unlink - Smack check on inode deletion
906 * @dir: containing directory object
907 * @dentry: file to unlink
908 *
909 * Returns 0 if current can write the containing directory
910 * and the object, error code otherwise
911 */
smack_inode_unlink(struct inode * dir,struct dentry * dentry)912 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
913 {
914 struct inode *ip = d_backing_inode(dentry);
915 struct smk_audit_info ad;
916 int rc;
917
918 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
919 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
920
921 /*
922 * You need write access to the thing you're unlinking
923 */
924 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
925 rc = smk_bu_inode(ip, MAY_WRITE, rc);
926 if (rc == 0) {
927 /*
928 * You also need write access to the containing directory
929 */
930 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
931 smk_ad_setfield_u_fs_inode(&ad, dir);
932 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
933 rc = smk_bu_inode(dir, MAY_WRITE, rc);
934 }
935 return rc;
936 }
937
938 /**
939 * smack_inode_rmdir - Smack check on directory deletion
940 * @dir: containing directory object
941 * @dentry: directory to unlink
942 *
943 * Returns 0 if current can write the containing directory
944 * and the directory, error code otherwise
945 */
smack_inode_rmdir(struct inode * dir,struct dentry * dentry)946 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
947 {
948 struct smk_audit_info ad;
949 int rc;
950
951 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
952 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
953
954 /*
955 * You need write access to the thing you're removing
956 */
957 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
958 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
959 if (rc == 0) {
960 /*
961 * You also need write access to the containing directory
962 */
963 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
964 smk_ad_setfield_u_fs_inode(&ad, dir);
965 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
966 rc = smk_bu_inode(dir, MAY_WRITE, rc);
967 }
968
969 return rc;
970 }
971
972 /**
973 * smack_inode_rename - Smack check on rename
974 * @old_inode: unused
975 * @old_dentry: the old object
976 * @new_inode: unused
977 * @new_dentry: the new object
978 *
979 * Read and write access is required on both the old and
980 * new directories.
981 *
982 * Returns 0 if access is permitted, an error code otherwise
983 */
smack_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)984 static int smack_inode_rename(struct inode *old_inode,
985 struct dentry *old_dentry,
986 struct inode *new_inode,
987 struct dentry *new_dentry)
988 {
989 int rc;
990 struct smack_known *isp;
991 struct smk_audit_info ad;
992
993 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
994 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
995
996 isp = smk_of_inode(d_backing_inode(old_dentry));
997 rc = smk_curacc(isp, MAY_READWRITE, &ad);
998 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc);
999
1000 if (rc == 0 && d_is_positive(new_dentry)) {
1001 isp = smk_of_inode(d_backing_inode(new_dentry));
1002 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
1003 rc = smk_curacc(isp, MAY_READWRITE, &ad);
1004 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc);
1005 }
1006 return rc;
1007 }
1008
1009 /**
1010 * smack_inode_permission - Smack version of permission()
1011 * @inode: the inode in question
1012 * @mask: the access requested
1013 *
1014 * This is the important Smack hook.
1015 *
1016 * Returns 0 if access is permitted, -EACCES otherwise
1017 */
smack_inode_permission(struct inode * inode,int mask)1018 static int smack_inode_permission(struct inode *inode, int mask)
1019 {
1020 struct smk_audit_info ad;
1021 int no_block = mask & MAY_NOT_BLOCK;
1022 int rc;
1023
1024 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
1025 /*
1026 * No permission to check. Existence test. Yup, it's there.
1027 */
1028 if (mask == 0)
1029 return 0;
1030
1031 /* May be droppable after audit */
1032 if (no_block)
1033 return -ECHILD;
1034 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1035 smk_ad_setfield_u_fs_inode(&ad, inode);
1036 rc = smk_curacc(smk_of_inode(inode), mask, &ad);
1037 rc = smk_bu_inode(inode, mask, rc);
1038 return rc;
1039 }
1040
1041 /**
1042 * smack_inode_setattr - Smack check for setting attributes
1043 * @dentry: the object
1044 * @iattr: for the force flag
1045 *
1046 * Returns 0 if access is permitted, an error code otherwise
1047 */
smack_inode_setattr(struct dentry * dentry,struct iattr * iattr)1048 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
1049 {
1050 struct smk_audit_info ad;
1051 int rc;
1052
1053 /*
1054 * Need to allow for clearing the setuid bit.
1055 */
1056 if (iattr->ia_valid & ATTR_FORCE)
1057 return 0;
1058 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1059 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1060
1061 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1062 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1063 return rc;
1064 }
1065
1066 /**
1067 * smack_inode_getattr - Smack check for getting attributes
1068 * @mnt: vfsmount of the object
1069 * @dentry: the object
1070 *
1071 * Returns 0 if access is permitted, an error code otherwise
1072 */
smack_inode_getattr(const struct path * path)1073 static int smack_inode_getattr(const struct path *path)
1074 {
1075 struct smk_audit_info ad;
1076 struct inode *inode = d_backing_inode(path->dentry);
1077 int rc;
1078
1079 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1080 smk_ad_setfield_u_fs_path(&ad, *path);
1081 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1082 rc = smk_bu_inode(inode, MAY_READ, rc);
1083 return rc;
1084 }
1085
1086 /**
1087 * smack_inode_setxattr - Smack check for setting xattrs
1088 * @dentry: the object
1089 * @name: name of the attribute
1090 * @value: value of the attribute
1091 * @size: size of the value
1092 * @flags: unused
1093 *
1094 * This protects the Smack attribute explicitly.
1095 *
1096 * Returns 0 if access is permitted, an error code otherwise
1097 */
smack_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)1098 static int smack_inode_setxattr(struct dentry *dentry, const char *name,
1099 const void *value, size_t size, int flags)
1100 {
1101 struct smk_audit_info ad;
1102 struct smack_known *skp;
1103 int check_priv = 0;
1104 int check_import = 0;
1105 int check_star = 0;
1106 int rc = 0;
1107
1108 /*
1109 * Check label validity here so import won't fail in post_setxattr
1110 */
1111 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1112 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1113 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
1114 check_priv = 1;
1115 check_import = 1;
1116 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1117 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1118 check_priv = 1;
1119 check_import = 1;
1120 check_star = 1;
1121 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1122 check_priv = 1;
1123 if (size != TRANS_TRUE_SIZE ||
1124 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
1125 rc = -EINVAL;
1126 } else
1127 rc = cap_inode_setxattr(dentry, name, value, size, flags);
1128
1129 if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
1130 rc = -EPERM;
1131
1132 if (rc == 0 && check_import) {
1133 skp = size ? smk_import_entry(value, size) : NULL;
1134 if (skp == NULL || (check_star &&
1135 (skp == &smack_known_star || skp == &smack_known_web)))
1136 rc = -EINVAL;
1137 }
1138
1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1140 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1141
1142 if (rc == 0) {
1143 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1144 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1145 }
1146
1147 return rc;
1148 }
1149
1150 /**
1151 * smack_inode_post_setxattr - Apply the Smack update approved above
1152 * @dentry: object
1153 * @name: attribute name
1154 * @value: attribute value
1155 * @size: attribute size
1156 * @flags: unused
1157 *
1158 * Set the pointer in the inode blob to the entry found
1159 * in the master label list.
1160 */
smack_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)1161 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
1162 const void *value, size_t size, int flags)
1163 {
1164 struct smack_known *skp;
1165 struct inode_smack *isp = d_backing_inode(dentry)->i_security;
1166
1167 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1168 isp->smk_flags |= SMK_INODE_TRANSMUTE;
1169 return;
1170 }
1171
1172 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1173 skp = smk_import_entry(value, size);
1174 if (skp != NULL)
1175 isp->smk_inode = skp;
1176 else
1177 isp->smk_inode = &smack_known_invalid;
1178 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
1179 skp = smk_import_entry(value, size);
1180 if (skp != NULL)
1181 isp->smk_task = skp;
1182 else
1183 isp->smk_task = &smack_known_invalid;
1184 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1185 skp = smk_import_entry(value, size);
1186 if (skp != NULL)
1187 isp->smk_mmap = skp;
1188 else
1189 isp->smk_mmap = &smack_known_invalid;
1190 }
1191
1192 return;
1193 }
1194
1195 /**
1196 * smack_inode_getxattr - Smack check on getxattr
1197 * @dentry: the object
1198 * @name: unused
1199 *
1200 * Returns 0 if access is permitted, an error code otherwise
1201 */
smack_inode_getxattr(struct dentry * dentry,const char * name)1202 static int smack_inode_getxattr(struct dentry *dentry, const char *name)
1203 {
1204 struct smk_audit_info ad;
1205 int rc;
1206
1207 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1208 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1209
1210 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad);
1211 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc);
1212 return rc;
1213 }
1214
1215 /**
1216 * smack_inode_removexattr - Smack check on removexattr
1217 * @dentry: the object
1218 * @name: name of the attribute
1219 *
1220 * Removing the Smack attribute requires CAP_MAC_ADMIN
1221 *
1222 * Returns 0 if access is permitted, an error code otherwise
1223 */
smack_inode_removexattr(struct dentry * dentry,const char * name)1224 static int smack_inode_removexattr(struct dentry *dentry, const char *name)
1225 {
1226 struct inode_smack *isp;
1227 struct smk_audit_info ad;
1228 int rc = 0;
1229
1230 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1231 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1232 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
1233 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1234 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
1235 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1236 if (!smack_privileged(CAP_MAC_ADMIN))
1237 rc = -EPERM;
1238 } else
1239 rc = cap_inode_removexattr(dentry, name);
1240
1241 if (rc != 0)
1242 return rc;
1243
1244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1245 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1246
1247 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1248 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1249 if (rc != 0)
1250 return rc;
1251
1252 isp = d_backing_inode(dentry)->i_security;
1253 /*
1254 * Don't do anything special for these.
1255 * XATTR_NAME_SMACKIPIN
1256 * XATTR_NAME_SMACKIPOUT
1257 * XATTR_NAME_SMACKEXEC
1258 */
1259 if (strcmp(name, XATTR_NAME_SMACK) == 0)
1260 isp->smk_task = NULL;
1261 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
1262 isp->smk_mmap = NULL;
1263 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
1264 isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
1265
1266 return 0;
1267 }
1268
1269 /**
1270 * smack_inode_getsecurity - get smack xattrs
1271 * @inode: the object
1272 * @name: attribute name
1273 * @buffer: where to put the result
1274 * @alloc: unused
1275 *
1276 * Returns the size of the attribute or an error code
1277 */
smack_inode_getsecurity(const struct inode * inode,const char * name,void ** buffer,bool alloc)1278 static int smack_inode_getsecurity(const struct inode *inode,
1279 const char *name, void **buffer,
1280 bool alloc)
1281 {
1282 struct socket_smack *ssp;
1283 struct socket *sock;
1284 struct super_block *sbp;
1285 struct inode *ip = (struct inode *)inode;
1286 struct smack_known *isp;
1287 int ilen;
1288 int rc = 0;
1289
1290 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
1291 isp = smk_of_inode(inode);
1292 ilen = strlen(isp->smk_known);
1293 *buffer = isp->smk_known;
1294 return ilen;
1295 }
1296
1297 /*
1298 * The rest of the Smack xattrs are only on sockets.
1299 */
1300 sbp = ip->i_sb;
1301 if (sbp->s_magic != SOCKFS_MAGIC)
1302 return -EOPNOTSUPP;
1303
1304 sock = SOCKET_I(ip);
1305 if (sock == NULL || sock->sk == NULL)
1306 return -EOPNOTSUPP;
1307
1308 ssp = sock->sk->sk_security;
1309
1310 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1311 isp = ssp->smk_in;
1312 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1313 isp = ssp->smk_out;
1314 else
1315 return -EOPNOTSUPP;
1316
1317 ilen = strlen(isp->smk_known);
1318 if (rc == 0) {
1319 *buffer = isp->smk_known;
1320 rc = ilen;
1321 }
1322
1323 return rc;
1324 }
1325
1326
1327 /**
1328 * smack_inode_listsecurity - list the Smack attributes
1329 * @inode: the object
1330 * @buffer: where they go
1331 * @buffer_size: size of buffer
1332 *
1333 * Returns 0 on success, -EINVAL otherwise
1334 */
smack_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)1335 static int smack_inode_listsecurity(struct inode *inode, char *buffer,
1336 size_t buffer_size)
1337 {
1338 int len = sizeof(XATTR_NAME_SMACK);
1339
1340 if (buffer != NULL && len <= buffer_size)
1341 memcpy(buffer, XATTR_NAME_SMACK, len);
1342
1343 return len;
1344 }
1345
1346 /**
1347 * smack_inode_getsecid - Extract inode's security id
1348 * @inode: inode to extract the info from
1349 * @secid: where result will be saved
1350 */
smack_inode_getsecid(const struct inode * inode,u32 * secid)1351 static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
1352 {
1353 struct inode_smack *isp = inode->i_security;
1354
1355 *secid = isp->smk_inode->smk_secid;
1356 }
1357
1358 /*
1359 * File Hooks
1360 */
1361
1362 /**
1363 * smack_file_permission - Smack check on file operations
1364 * @file: unused
1365 * @mask: unused
1366 *
1367 * Returns 0
1368 *
1369 * Should access checks be done on each read or write?
1370 * UNICOS and SELinux say yes.
1371 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
1372 *
1373 * I'll say no for now. Smack does not do the frequent
1374 * label changing that SELinux does.
1375 */
smack_file_permission(struct file * file,int mask)1376 static int smack_file_permission(struct file *file, int mask)
1377 {
1378 return 0;
1379 }
1380
1381 /**
1382 * smack_file_alloc_security - assign a file security blob
1383 * @file: the object
1384 *
1385 * The security blob for a file is a pointer to the master
1386 * label list, so no allocation is done.
1387 *
1388 * f_security is the owner security information. It
1389 * isn't used on file access checks, it's for send_sigio.
1390 *
1391 * Returns 0
1392 */
smack_file_alloc_security(struct file * file)1393 static int smack_file_alloc_security(struct file *file)
1394 {
1395 struct smack_known *skp = smk_of_current();
1396
1397 file->f_security = skp;
1398 return 0;
1399 }
1400
1401 /**
1402 * smack_file_free_security - clear a file security blob
1403 * @file: the object
1404 *
1405 * The security blob for a file is a pointer to the master
1406 * label list, so no memory is freed.
1407 */
smack_file_free_security(struct file * file)1408 static void smack_file_free_security(struct file *file)
1409 {
1410 file->f_security = NULL;
1411 }
1412
1413 /**
1414 * smack_file_ioctl - Smack check on ioctls
1415 * @file: the object
1416 * @cmd: what to do
1417 * @arg: unused
1418 *
1419 * Relies heavily on the correct use of the ioctl command conventions.
1420 *
1421 * Returns 0 if allowed, error code otherwise
1422 */
smack_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)1423 static int smack_file_ioctl(struct file *file, unsigned int cmd,
1424 unsigned long arg)
1425 {
1426 int rc = 0;
1427 struct smk_audit_info ad;
1428 struct inode *inode = file_inode(file);
1429
1430 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1431 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1432
1433 if (_IOC_DIR(cmd) & _IOC_WRITE) {
1434 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1435 rc = smk_bu_file(file, MAY_WRITE, rc);
1436 }
1437
1438 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) {
1439 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1440 rc = smk_bu_file(file, MAY_READ, rc);
1441 }
1442
1443 return rc;
1444 }
1445
1446 /**
1447 * smack_file_lock - Smack check on file locking
1448 * @file: the object
1449 * @cmd: unused
1450 *
1451 * Returns 0 if current has lock access, error code otherwise
1452 */
smack_file_lock(struct file * file,unsigned int cmd)1453 static int smack_file_lock(struct file *file, unsigned int cmd)
1454 {
1455 struct smk_audit_info ad;
1456 int rc;
1457 struct inode *inode = file_inode(file);
1458
1459 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1460 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1461 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1462 rc = smk_bu_file(file, MAY_LOCK, rc);
1463 return rc;
1464 }
1465
1466 /**
1467 * smack_file_fcntl - Smack check on fcntl
1468 * @file: the object
1469 * @cmd: what action to check
1470 * @arg: unused
1471 *
1472 * Generally these operations are harmless.
1473 * File locking operations present an obvious mechanism
1474 * for passing information, so they require write access.
1475 *
1476 * Returns 0 if current has access, error code otherwise
1477 */
smack_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)1478 static int smack_file_fcntl(struct file *file, unsigned int cmd,
1479 unsigned long arg)
1480 {
1481 struct smk_audit_info ad;
1482 int rc = 0;
1483 struct inode *inode = file_inode(file);
1484
1485 switch (cmd) {
1486 case F_GETLK:
1487 break;
1488 case F_SETLK:
1489 case F_SETLKW:
1490 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1491 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1492 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1493 rc = smk_bu_file(file, MAY_LOCK, rc);
1494 break;
1495 case F_SETOWN:
1496 case F_SETSIG:
1497 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1498 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1499 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1500 rc = smk_bu_file(file, MAY_WRITE, rc);
1501 break;
1502 default:
1503 break;
1504 }
1505
1506 return rc;
1507 }
1508
1509 /**
1510 * smack_mmap_file :
1511 * Check permissions for a mmap operation. The @file may be NULL, e.g.
1512 * if mapping anonymous memory.
1513 * @file contains the file structure for file to map (may be NULL).
1514 * @reqprot contains the protection requested by the application.
1515 * @prot contains the protection that will be applied by the kernel.
1516 * @flags contains the operational flags.
1517 * Return 0 if permission is granted.
1518 */
smack_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)1519 static int smack_mmap_file(struct file *file,
1520 unsigned long reqprot, unsigned long prot,
1521 unsigned long flags)
1522 {
1523 struct smack_known *skp;
1524 struct smack_known *mkp;
1525 struct smack_rule *srp;
1526 struct task_smack *tsp;
1527 struct smack_known *okp;
1528 struct inode_smack *isp;
1529 int may;
1530 int mmay;
1531 int tmay;
1532 int rc;
1533
1534 if (file == NULL)
1535 return 0;
1536
1537 isp = file_inode(file)->i_security;
1538 if (isp->smk_mmap == NULL)
1539 return 0;
1540 mkp = isp->smk_mmap;
1541
1542 tsp = current_security();
1543 skp = smk_of_current();
1544 rc = 0;
1545
1546 rcu_read_lock();
1547 /*
1548 * For each Smack rule associated with the subject
1549 * label verify that the SMACK64MMAP also has access
1550 * to that rule's object label.
1551 */
1552 list_for_each_entry_rcu(srp, &skp->smk_rules, list) {
1553 okp = srp->smk_object;
1554 /*
1555 * Matching labels always allows access.
1556 */
1557 if (mkp->smk_known == okp->smk_known)
1558 continue;
1559 /*
1560 * If there is a matching local rule take
1561 * that into account as well.
1562 */
1563 may = smk_access_entry(srp->smk_subject->smk_known,
1564 okp->smk_known,
1565 &tsp->smk_rules);
1566 if (may == -ENOENT)
1567 may = srp->smk_access;
1568 else
1569 may &= srp->smk_access;
1570 /*
1571 * If may is zero the SMACK64MMAP subject can't
1572 * possibly have less access.
1573 */
1574 if (may == 0)
1575 continue;
1576
1577 /*
1578 * Fetch the global list entry.
1579 * If there isn't one a SMACK64MMAP subject
1580 * can't have as much access as current.
1581 */
1582 mmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1583 &mkp->smk_rules);
1584 if (mmay == -ENOENT) {
1585 rc = -EACCES;
1586 break;
1587 }
1588 /*
1589 * If there is a local entry it modifies the
1590 * potential access, too.
1591 */
1592 tmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1593 &tsp->smk_rules);
1594 if (tmay != -ENOENT)
1595 mmay &= tmay;
1596
1597 /*
1598 * If there is any access available to current that is
1599 * not available to a SMACK64MMAP subject
1600 * deny access.
1601 */
1602 if ((may | mmay) != mmay) {
1603 rc = -EACCES;
1604 break;
1605 }
1606 }
1607
1608 rcu_read_unlock();
1609
1610 return rc;
1611 }
1612
1613 /**
1614 * smack_file_set_fowner - set the file security blob value
1615 * @file: object in question
1616 *
1617 */
smack_file_set_fowner(struct file * file)1618 static void smack_file_set_fowner(struct file *file)
1619 {
1620 file->f_security = smk_of_current();
1621 }
1622
1623 /**
1624 * smack_file_send_sigiotask - Smack on sigio
1625 * @tsk: The target task
1626 * @fown: the object the signal come from
1627 * @signum: unused
1628 *
1629 * Allow a privileged task to get signals even if it shouldn't
1630 *
1631 * Returns 0 if a subject with the object's smack could
1632 * write to the task, an error code otherwise.
1633 */
smack_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)1634 static int smack_file_send_sigiotask(struct task_struct *tsk,
1635 struct fown_struct *fown, int signum)
1636 {
1637 struct smack_known *skp;
1638 struct smack_known *tkp = smk_of_task(tsk->cred->security);
1639 struct file *file;
1640 int rc;
1641 struct smk_audit_info ad;
1642
1643 /*
1644 * struct fown_struct is never outside the context of a struct file
1645 */
1646 file = container_of(fown, struct file, f_owner);
1647
1648 /* we don't log here as rc can be overriden */
1649 skp = file->f_security;
1650 rc = smk_access(skp, tkp, MAY_WRITE, NULL);
1651 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc);
1652 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
1653 rc = 0;
1654
1655 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1656 smk_ad_setfield_u_tsk(&ad, tsk);
1657 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad);
1658 return rc;
1659 }
1660
1661 /**
1662 * smack_file_receive - Smack file receive check
1663 * @file: the object
1664 *
1665 * Returns 0 if current has access, error code otherwise
1666 */
smack_file_receive(struct file * file)1667 static int smack_file_receive(struct file *file)
1668 {
1669 int rc;
1670 int may = 0;
1671 struct smk_audit_info ad;
1672 struct inode *inode = file_inode(file);
1673
1674 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1675 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1676 /*
1677 * This code relies on bitmasks.
1678 */
1679 if (file->f_mode & FMODE_READ)
1680 may = MAY_READ;
1681 if (file->f_mode & FMODE_WRITE)
1682 may |= MAY_WRITE;
1683
1684 rc = smk_curacc(smk_of_inode(inode), may, &ad);
1685 rc = smk_bu_file(file, may, rc);
1686 return rc;
1687 }
1688
1689 /**
1690 * smack_file_open - Smack dentry open processing
1691 * @file: the object
1692 * @cred: task credential
1693 *
1694 * Set the security blob in the file structure.
1695 * Allow the open only if the task has read access. There are
1696 * many read operations (e.g. fstat) that you can do with an
1697 * fd even if you have the file open write-only.
1698 *
1699 * Returns 0
1700 */
smack_file_open(struct file * file,const struct cred * cred)1701 static int smack_file_open(struct file *file, const struct cred *cred)
1702 {
1703 struct task_smack *tsp = cred->security;
1704 struct inode *inode = file_inode(file);
1705 struct smk_audit_info ad;
1706 int rc;
1707
1708 if (smack_privileged(CAP_MAC_OVERRIDE))
1709 return 0;
1710
1711 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1712 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1713 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad);
1714 rc = smk_bu_credfile(cred, file, MAY_READ, rc);
1715
1716 return rc;
1717 }
1718
1719 /*
1720 * Task hooks
1721 */
1722
1723 /**
1724 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1725 * @new: the new credentials
1726 * @gfp: the atomicity of any memory allocations
1727 *
1728 * Prepare a blank set of credentials for modification. This must allocate all
1729 * the memory the LSM module might require such that cred_transfer() can
1730 * complete without error.
1731 */
smack_cred_alloc_blank(struct cred * cred,gfp_t gfp)1732 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1733 {
1734 struct task_smack *tsp;
1735
1736 tsp = new_task_smack(NULL, NULL, gfp);
1737 if (tsp == NULL)
1738 return -ENOMEM;
1739
1740 cred->security = tsp;
1741
1742 return 0;
1743 }
1744
1745
1746 /**
1747 * smack_cred_free - "free" task-level security credentials
1748 * @cred: the credentials in question
1749 *
1750 */
smack_cred_free(struct cred * cred)1751 static void smack_cred_free(struct cred *cred)
1752 {
1753 struct task_smack *tsp = cred->security;
1754 struct smack_rule *rp;
1755 struct list_head *l;
1756 struct list_head *n;
1757
1758 if (tsp == NULL)
1759 return;
1760 cred->security = NULL;
1761
1762 list_for_each_safe(l, n, &tsp->smk_rules) {
1763 rp = list_entry(l, struct smack_rule, list);
1764 list_del(&rp->list);
1765 kfree(rp);
1766 }
1767 kfree(tsp);
1768 }
1769
1770 /**
1771 * smack_cred_prepare - prepare new set of credentials for modification
1772 * @new: the new credentials
1773 * @old: the original credentials
1774 * @gfp: the atomicity of any memory allocations
1775 *
1776 * Prepare a new set of credentials for modification.
1777 */
smack_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)1778 static int smack_cred_prepare(struct cred *new, const struct cred *old,
1779 gfp_t gfp)
1780 {
1781 struct task_smack *old_tsp = old->security;
1782 struct task_smack *new_tsp;
1783 int rc;
1784
1785 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);
1786 if (new_tsp == NULL)
1787 return -ENOMEM;
1788
1789 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
1790 if (rc != 0)
1791 return rc;
1792
1793 new->security = new_tsp;
1794 return 0;
1795 }
1796
1797 /**
1798 * smack_cred_transfer - Transfer the old credentials to the new credentials
1799 * @new: the new credentials
1800 * @old: the original credentials
1801 *
1802 * Fill in a set of blank credentials from another set of credentials.
1803 */
smack_cred_transfer(struct cred * new,const struct cred * old)1804 static void smack_cred_transfer(struct cred *new, const struct cred *old)
1805 {
1806 struct task_smack *old_tsp = old->security;
1807 struct task_smack *new_tsp = new->security;
1808
1809 new_tsp->smk_task = old_tsp->smk_task;
1810 new_tsp->smk_forked = old_tsp->smk_task;
1811 mutex_init(&new_tsp->smk_rules_lock);
1812 INIT_LIST_HEAD(&new_tsp->smk_rules);
1813
1814
1815 /* cbs copy rule list */
1816 }
1817
1818 /**
1819 * smack_kernel_act_as - Set the subjective context in a set of credentials
1820 * @new: points to the set of credentials to be modified.
1821 * @secid: specifies the security ID to be set
1822 *
1823 * Set the security data for a kernel service.
1824 */
smack_kernel_act_as(struct cred * new,u32 secid)1825 static int smack_kernel_act_as(struct cred *new, u32 secid)
1826 {
1827 struct task_smack *new_tsp = new->security;
1828 struct smack_known *skp = smack_from_secid(secid);
1829
1830 if (skp == NULL)
1831 return -EINVAL;
1832
1833 new_tsp->smk_task = skp;
1834 return 0;
1835 }
1836
1837 /**
1838 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1839 * @new: points to the set of credentials to be modified
1840 * @inode: points to the inode to use as a reference
1841 *
1842 * Set the file creation context in a set of credentials to the same
1843 * as the objective context of the specified inode
1844 */
smack_kernel_create_files_as(struct cred * new,struct inode * inode)1845 static int smack_kernel_create_files_as(struct cred *new,
1846 struct inode *inode)
1847 {
1848 struct inode_smack *isp = inode->i_security;
1849 struct task_smack *tsp = new->security;
1850
1851 tsp->smk_forked = isp->smk_inode;
1852 tsp->smk_task = tsp->smk_forked;
1853 return 0;
1854 }
1855
1856 /**
1857 * smk_curacc_on_task - helper to log task related access
1858 * @p: the task object
1859 * @access: the access requested
1860 * @caller: name of the calling function for audit
1861 *
1862 * Return 0 if access is permitted
1863 */
smk_curacc_on_task(struct task_struct * p,int access,const char * caller)1864 static int smk_curacc_on_task(struct task_struct *p, int access,
1865 const char *caller)
1866 {
1867 struct smk_audit_info ad;
1868 struct smack_known *skp = smk_of_task_struct(p);
1869 int rc;
1870
1871 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
1872 smk_ad_setfield_u_tsk(&ad, p);
1873 rc = smk_curacc(skp, access, &ad);
1874 rc = smk_bu_task(p, access, rc);
1875 return rc;
1876 }
1877
1878 /**
1879 * smack_task_setpgid - Smack check on setting pgid
1880 * @p: the task object
1881 * @pgid: unused
1882 *
1883 * Return 0 if write access is permitted
1884 */
smack_task_setpgid(struct task_struct * p,pid_t pgid)1885 static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1886 {
1887 return smk_curacc_on_task(p, MAY_WRITE, __func__);
1888 }
1889
1890 /**
1891 * smack_task_getpgid - Smack access check for getpgid
1892 * @p: the object task
1893 *
1894 * Returns 0 if current can read the object task, error code otherwise
1895 */
smack_task_getpgid(struct task_struct * p)1896 static int smack_task_getpgid(struct task_struct *p)
1897 {
1898 return smk_curacc_on_task(p, MAY_READ, __func__);
1899 }
1900
1901 /**
1902 * smack_task_getsid - Smack access check for getsid
1903 * @p: the object task
1904 *
1905 * Returns 0 if current can read the object task, error code otherwise
1906 */
smack_task_getsid(struct task_struct * p)1907 static int smack_task_getsid(struct task_struct *p)
1908 {
1909 return smk_curacc_on_task(p, MAY_READ, __func__);
1910 }
1911
1912 /**
1913 * smack_task_getsecid - get the secid of the task
1914 * @p: the object task
1915 * @secid: where to put the result
1916 *
1917 * Sets the secid to contain a u32 version of the smack label.
1918 */
smack_task_getsecid(struct task_struct * p,u32 * secid)1919 static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1920 {
1921 struct smack_known *skp = smk_of_task_struct(p);
1922
1923 *secid = skp->smk_secid;
1924 }
1925
1926 /**
1927 * smack_task_setnice - Smack check on setting nice
1928 * @p: the task object
1929 * @nice: unused
1930 *
1931 * Return 0 if write access is permitted
1932 */
smack_task_setnice(struct task_struct * p,int nice)1933 static int smack_task_setnice(struct task_struct *p, int nice)
1934 {
1935 int rc;
1936
1937 rc = cap_task_setnice(p, nice);
1938 if (rc == 0)
1939 rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
1940 return rc;
1941 }
1942
1943 /**
1944 * smack_task_setioprio - Smack check on setting ioprio
1945 * @p: the task object
1946 * @ioprio: unused
1947 *
1948 * Return 0 if write access is permitted
1949 */
smack_task_setioprio(struct task_struct * p,int ioprio)1950 static int smack_task_setioprio(struct task_struct *p, int ioprio)
1951 {
1952 int rc;
1953
1954 rc = cap_task_setioprio(p, ioprio);
1955 if (rc == 0)
1956 rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
1957 return rc;
1958 }
1959
1960 /**
1961 * smack_task_getioprio - Smack check on reading ioprio
1962 * @p: the task object
1963 *
1964 * Return 0 if read access is permitted
1965 */
smack_task_getioprio(struct task_struct * p)1966 static int smack_task_getioprio(struct task_struct *p)
1967 {
1968 return smk_curacc_on_task(p, MAY_READ, __func__);
1969 }
1970
1971 /**
1972 * smack_task_setscheduler - Smack check on setting scheduler
1973 * @p: the task object
1974 * @policy: unused
1975 * @lp: unused
1976 *
1977 * Return 0 if read access is permitted
1978 */
smack_task_setscheduler(struct task_struct * p)1979 static int smack_task_setscheduler(struct task_struct *p)
1980 {
1981 int rc;
1982
1983 rc = cap_task_setscheduler(p);
1984 if (rc == 0)
1985 rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
1986 return rc;
1987 }
1988
1989 /**
1990 * smack_task_getscheduler - Smack check on reading scheduler
1991 * @p: the task object
1992 *
1993 * Return 0 if read access is permitted
1994 */
smack_task_getscheduler(struct task_struct * p)1995 static int smack_task_getscheduler(struct task_struct *p)
1996 {
1997 return smk_curacc_on_task(p, MAY_READ, __func__);
1998 }
1999
2000 /**
2001 * smack_task_movememory - Smack check on moving memory
2002 * @p: the task object
2003 *
2004 * Return 0 if write access is permitted
2005 */
smack_task_movememory(struct task_struct * p)2006 static int smack_task_movememory(struct task_struct *p)
2007 {
2008 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2009 }
2010
2011 /**
2012 * smack_task_kill - Smack check on signal delivery
2013 * @p: the task object
2014 * @info: unused
2015 * @sig: unused
2016 * @secid: identifies the smack to use in lieu of current's
2017 *
2018 * Return 0 if write access is permitted
2019 *
2020 * The secid behavior is an artifact of an SELinux hack
2021 * in the USB code. Someday it may go away.
2022 */
smack_task_kill(struct task_struct * p,struct siginfo * info,int sig,u32 secid)2023 static int smack_task_kill(struct task_struct *p, struct siginfo *info,
2024 int sig, u32 secid)
2025 {
2026 struct smk_audit_info ad;
2027 struct smack_known *skp;
2028 struct smack_known *tkp = smk_of_task_struct(p);
2029 int rc;
2030
2031 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
2032 smk_ad_setfield_u_tsk(&ad, p);
2033 /*
2034 * Sending a signal requires that the sender
2035 * can write the receiver.
2036 */
2037 if (secid == 0) {
2038 rc = smk_curacc(tkp, MAY_WRITE, &ad);
2039 rc = smk_bu_task(p, MAY_WRITE, rc);
2040 return rc;
2041 }
2042 /*
2043 * If the secid isn't 0 we're dealing with some USB IO
2044 * specific behavior. This is not clean. For one thing
2045 * we can't take privilege into account.
2046 */
2047 skp = smack_from_secid(secid);
2048 rc = smk_access(skp, tkp, MAY_WRITE, &ad);
2049 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc);
2050 return rc;
2051 }
2052
2053 /**
2054 * smack_task_wait - Smack access check for waiting
2055 * @p: task to wait for
2056 *
2057 * Returns 0
2058 */
smack_task_wait(struct task_struct * p)2059 static int smack_task_wait(struct task_struct *p)
2060 {
2061 /*
2062 * Allow the operation to succeed.
2063 * Zombies are bad.
2064 * In userless environments (e.g. phones) programs
2065 * get marked with SMACK64EXEC and even if the parent
2066 * and child shouldn't be talking the parent still
2067 * may expect to know when the child exits.
2068 */
2069 return 0;
2070 }
2071
2072 /**
2073 * smack_task_to_inode - copy task smack into the inode blob
2074 * @p: task to copy from
2075 * @inode: inode to copy to
2076 *
2077 * Sets the smack pointer in the inode security blob
2078 */
smack_task_to_inode(struct task_struct * p,struct inode * inode)2079 static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
2080 {
2081 struct inode_smack *isp = inode->i_security;
2082 struct smack_known *skp = smk_of_task_struct(p);
2083
2084 isp->smk_inode = skp;
2085 }
2086
2087 /*
2088 * Socket hooks.
2089 */
2090
2091 /**
2092 * smack_sk_alloc_security - Allocate a socket blob
2093 * @sk: the socket
2094 * @family: unused
2095 * @gfp_flags: memory allocation flags
2096 *
2097 * Assign Smack pointers to current
2098 *
2099 * Returns 0 on success, -ENOMEM is there's no memory
2100 */
smack_sk_alloc_security(struct sock * sk,int family,gfp_t gfp_flags)2101 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
2102 {
2103 struct smack_known *skp = smk_of_current();
2104 struct socket_smack *ssp;
2105
2106 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
2107 if (ssp == NULL)
2108 return -ENOMEM;
2109
2110 ssp->smk_in = skp;
2111 ssp->smk_out = skp;
2112 ssp->smk_packet = NULL;
2113
2114 sk->sk_security = ssp;
2115
2116 return 0;
2117 }
2118
2119 /**
2120 * smack_sk_free_security - Free a socket blob
2121 * @sk: the socket
2122 *
2123 * Clears the blob pointer
2124 */
smack_sk_free_security(struct sock * sk)2125 static void smack_sk_free_security(struct sock *sk)
2126 {
2127 kfree(sk->sk_security);
2128 }
2129
2130 /**
2131 * smack_host_label - check host based restrictions
2132 * @sip: the object end
2133 *
2134 * looks for host based access restrictions
2135 *
2136 * This version will only be appropriate for really small sets of single label
2137 * hosts. The caller is responsible for ensuring that the RCU read lock is
2138 * taken before calling this function.
2139 *
2140 * Returns the label of the far end or NULL if it's not special.
2141 */
smack_host_label(struct sockaddr_in * sip)2142 static struct smack_known *smack_host_label(struct sockaddr_in *sip)
2143 {
2144 struct smk_netlbladdr *snp;
2145 struct in_addr *siap = &sip->sin_addr;
2146
2147 if (siap->s_addr == 0)
2148 return NULL;
2149
2150 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list)
2151 /*
2152 * we break after finding the first match because
2153 * the list is sorted from longest to shortest mask
2154 * so we have found the most specific match
2155 */
2156 if ((&snp->smk_host.sin_addr)->s_addr ==
2157 (siap->s_addr & (&snp->smk_mask)->s_addr)) {
2158 /* we have found the special CIPSO option */
2159 if (snp->smk_label == &smack_cipso_option)
2160 return NULL;
2161 return snp->smk_label;
2162 }
2163
2164 return NULL;
2165 }
2166
2167 /**
2168 * smack_netlabel - Set the secattr on a socket
2169 * @sk: the socket
2170 * @labeled: socket label scheme
2171 *
2172 * Convert the outbound smack value (smk_out) to a
2173 * secattr and attach it to the socket.
2174 *
2175 * Returns 0 on success or an error code
2176 */
smack_netlabel(struct sock * sk,int labeled)2177 static int smack_netlabel(struct sock *sk, int labeled)
2178 {
2179 struct smack_known *skp;
2180 struct socket_smack *ssp = sk->sk_security;
2181 int rc = 0;
2182
2183 /*
2184 * Usually the netlabel code will handle changing the
2185 * packet labeling based on the label.
2186 * The case of a single label host is different, because
2187 * a single label host should never get a labeled packet
2188 * even though the label is usually associated with a packet
2189 * label.
2190 */
2191 local_bh_disable();
2192 bh_lock_sock_nested(sk);
2193
2194 if (ssp->smk_out == smack_net_ambient ||
2195 labeled == SMACK_UNLABELED_SOCKET)
2196 netlbl_sock_delattr(sk);
2197 else {
2198 skp = ssp->smk_out;
2199 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
2200 }
2201
2202 bh_unlock_sock(sk);
2203 local_bh_enable();
2204
2205 return rc;
2206 }
2207
2208 /**
2209 * smack_netlbel_send - Set the secattr on a socket and perform access checks
2210 * @sk: the socket
2211 * @sap: the destination address
2212 *
2213 * Set the correct secattr for the given socket based on the destination
2214 * address and perform any outbound access checks needed.
2215 *
2216 * Returns 0 on success or an error code.
2217 *
2218 */
smack_netlabel_send(struct sock * sk,struct sockaddr_in * sap)2219 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
2220 {
2221 struct smack_known *skp;
2222 int rc;
2223 int sk_lbl;
2224 struct smack_known *hkp;
2225 struct socket_smack *ssp = sk->sk_security;
2226 struct smk_audit_info ad;
2227
2228 rcu_read_lock();
2229 hkp = smack_host_label(sap);
2230 if (hkp != NULL) {
2231 #ifdef CONFIG_AUDIT
2232 struct lsm_network_audit net;
2233
2234 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2235 ad.a.u.net->family = sap->sin_family;
2236 ad.a.u.net->dport = sap->sin_port;
2237 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
2238 #endif
2239 sk_lbl = SMACK_UNLABELED_SOCKET;
2240 skp = ssp->smk_out;
2241 rc = smk_access(skp, hkp, MAY_WRITE, &ad);
2242 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc);
2243 } else {
2244 sk_lbl = SMACK_CIPSO_SOCKET;
2245 rc = 0;
2246 }
2247 rcu_read_unlock();
2248 if (rc != 0)
2249 return rc;
2250
2251 return smack_netlabel(sk, sk_lbl);
2252 }
2253
2254 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2255 /**
2256 * smk_ipv6_port_label - Smack port access table management
2257 * @sock: socket
2258 * @address: address
2259 *
2260 * Create or update the port list entry
2261 */
smk_ipv6_port_label(struct socket * sock,struct sockaddr * address)2262 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
2263 {
2264 struct sock *sk = sock->sk;
2265 struct sockaddr_in6 *addr6;
2266 struct socket_smack *ssp = sock->sk->sk_security;
2267 struct smk_port_label *spp;
2268 unsigned short port = 0;
2269
2270 if (address == NULL) {
2271 /*
2272 * This operation is changing the Smack information
2273 * on the bound socket. Take the changes to the port
2274 * as well.
2275 */
2276 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2277 if (sk != spp->smk_sock)
2278 continue;
2279 spp->smk_in = ssp->smk_in;
2280 spp->smk_out = ssp->smk_out;
2281 return;
2282 }
2283 /*
2284 * A NULL address is only used for updating existing
2285 * bound entries. If there isn't one, it's OK.
2286 */
2287 return;
2288 }
2289
2290 addr6 = (struct sockaddr_in6 *)address;
2291 port = ntohs(addr6->sin6_port);
2292 /*
2293 * This is a special case that is safely ignored.
2294 */
2295 if (port == 0)
2296 return;
2297
2298 /*
2299 * Look for an existing port list entry.
2300 * This is an indication that a port is getting reused.
2301 */
2302 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2303 if (spp->smk_port != port)
2304 continue;
2305 spp->smk_port = port;
2306 spp->smk_sock = sk;
2307 spp->smk_in = ssp->smk_in;
2308 spp->smk_out = ssp->smk_out;
2309 return;
2310 }
2311
2312 /*
2313 * A new port entry is required.
2314 */
2315 spp = kzalloc(sizeof(*spp), GFP_KERNEL);
2316 if (spp == NULL)
2317 return;
2318
2319 spp->smk_port = port;
2320 spp->smk_sock = sk;
2321 spp->smk_in = ssp->smk_in;
2322 spp->smk_out = ssp->smk_out;
2323
2324 list_add(&spp->list, &smk_ipv6_port_list);
2325 return;
2326 }
2327
2328 /**
2329 * smk_ipv6_port_check - check Smack port access
2330 * @sock: socket
2331 * @address: address
2332 *
2333 * Create or update the port list entry
2334 */
smk_ipv6_port_check(struct sock * sk,struct sockaddr_in6 * address,int act)2335 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2336 int act)
2337 {
2338 __be16 *bep;
2339 __be32 *be32p;
2340 struct smk_port_label *spp;
2341 struct socket_smack *ssp = sk->sk_security;
2342 struct smack_known *skp;
2343 unsigned short port = 0;
2344 struct smack_known *object;
2345 struct smk_audit_info ad;
2346 int rc;
2347 #ifdef CONFIG_AUDIT
2348 struct lsm_network_audit net;
2349 #endif
2350
2351 if (act == SMK_RECEIVING) {
2352 skp = smack_net_ambient;
2353 object = ssp->smk_in;
2354 } else {
2355 skp = ssp->smk_out;
2356 object = smack_net_ambient;
2357 }
2358
2359 /*
2360 * Get the IP address and port from the address.
2361 */
2362 port = ntohs(address->sin6_port);
2363 bep = (__be16 *)(&address->sin6_addr);
2364 be32p = (__be32 *)(&address->sin6_addr);
2365
2366 /*
2367 * It's remote, so port lookup does no good.
2368 */
2369 if (be32p[0] || be32p[1] || be32p[2] || bep[6] || ntohs(bep[7]) != 1)
2370 goto auditout;
2371
2372 /*
2373 * It's local so the send check has to have passed.
2374 */
2375 if (act == SMK_RECEIVING) {
2376 skp = &smack_known_web;
2377 goto auditout;
2378 }
2379
2380 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2381 if (spp->smk_port != port)
2382 continue;
2383 object = spp->smk_in;
2384 if (act == SMK_CONNECTING)
2385 ssp->smk_packet = spp->smk_out;
2386 break;
2387 }
2388
2389 auditout:
2390
2391 #ifdef CONFIG_AUDIT
2392 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2393 ad.a.u.net->family = sk->sk_family;
2394 ad.a.u.net->dport = port;
2395 if (act == SMK_RECEIVING)
2396 ad.a.u.net->v6info.saddr = address->sin6_addr;
2397 else
2398 ad.a.u.net->v6info.daddr = address->sin6_addr;
2399 #endif
2400 rc = smk_access(skp, object, MAY_WRITE, &ad);
2401 rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);
2402 return rc;
2403 }
2404 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2405
2406 /**
2407 * smack_inode_setsecurity - set smack xattrs
2408 * @inode: the object
2409 * @name: attribute name
2410 * @value: attribute value
2411 * @size: size of the attribute
2412 * @flags: unused
2413 *
2414 * Sets the named attribute in the appropriate blob
2415 *
2416 * Returns 0 on success, or an error code
2417 */
smack_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)2418 static int smack_inode_setsecurity(struct inode *inode, const char *name,
2419 const void *value, size_t size, int flags)
2420 {
2421 struct smack_known *skp;
2422 struct inode_smack *nsp = inode->i_security;
2423 struct socket_smack *ssp;
2424 struct socket *sock;
2425 int rc = 0;
2426
2427 if (value == NULL || size > SMK_LONGLABEL || size == 0)
2428 return -EINVAL;
2429
2430 skp = smk_import_entry(value, size);
2431 if (skp == NULL)
2432 return -EINVAL;
2433
2434 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
2435 nsp->smk_inode = skp;
2436 nsp->smk_flags |= SMK_INODE_INSTANT;
2437 return 0;
2438 }
2439 /*
2440 * The rest of the Smack xattrs are only on sockets.
2441 */
2442 if (inode->i_sb->s_magic != SOCKFS_MAGIC)
2443 return -EOPNOTSUPP;
2444
2445 sock = SOCKET_I(inode);
2446 if (sock == NULL || sock->sk == NULL)
2447 return -EOPNOTSUPP;
2448
2449 ssp = sock->sk->sk_security;
2450
2451 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
2452 ssp->smk_in = skp;
2453 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
2454 ssp->smk_out = skp;
2455 if (sock->sk->sk_family == PF_INET) {
2456 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2457 if (rc != 0)
2458 printk(KERN_WARNING
2459 "Smack: \"%s\" netlbl error %d.\n",
2460 __func__, -rc);
2461 }
2462 } else
2463 return -EOPNOTSUPP;
2464
2465 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2466 if (sock->sk->sk_family == PF_INET6)
2467 smk_ipv6_port_label(sock, NULL);
2468 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2469
2470 return 0;
2471 }
2472
2473 /**
2474 * smack_socket_post_create - finish socket setup
2475 * @sock: the socket
2476 * @family: protocol family
2477 * @type: unused
2478 * @protocol: unused
2479 * @kern: unused
2480 *
2481 * Sets the netlabel information on the socket
2482 *
2483 * Returns 0 on success, and error code otherwise
2484 */
smack_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)2485 static int smack_socket_post_create(struct socket *sock, int family,
2486 int type, int protocol, int kern)
2487 {
2488 struct socket_smack *ssp;
2489
2490 if (sock->sk == NULL)
2491 return 0;
2492
2493 /*
2494 * Sockets created by kernel threads receive web label.
2495 */
2496 if (unlikely(current->flags & PF_KTHREAD)) {
2497 ssp = sock->sk->sk_security;
2498 ssp->smk_in = &smack_known_web;
2499 ssp->smk_out = &smack_known_web;
2500 }
2501
2502 if (family != PF_INET)
2503 return 0;
2504 /*
2505 * Set the outbound netlbl.
2506 */
2507 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2508 }
2509
2510 #ifndef CONFIG_SECURITY_SMACK_NETFILTER
2511 /**
2512 * smack_socket_bind - record port binding information.
2513 * @sock: the socket
2514 * @address: the port address
2515 * @addrlen: size of the address
2516 *
2517 * Records the label bound to a port.
2518 *
2519 * Returns 0
2520 */
smack_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)2521 static int smack_socket_bind(struct socket *sock, struct sockaddr *address,
2522 int addrlen)
2523 {
2524 #if IS_ENABLED(CONFIG_IPV6)
2525 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)
2526 smk_ipv6_port_label(sock, address);
2527 #endif
2528
2529 return 0;
2530 }
2531 #endif /* !CONFIG_SECURITY_SMACK_NETFILTER */
2532
2533 /**
2534 * smack_socket_connect - connect access check
2535 * @sock: the socket
2536 * @sap: the other end
2537 * @addrlen: size of sap
2538 *
2539 * Verifies that a connection may be possible
2540 *
2541 * Returns 0 on success, and error code otherwise
2542 */
smack_socket_connect(struct socket * sock,struct sockaddr * sap,int addrlen)2543 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
2544 int addrlen)
2545 {
2546 int rc = 0;
2547
2548 if (sock->sk == NULL)
2549 return 0;
2550
2551 switch (sock->sk->sk_family) {
2552 case PF_INET:
2553 if (addrlen < sizeof(struct sockaddr_in))
2554 return -EINVAL;
2555 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
2556 break;
2557 case PF_INET6:
2558 if (addrlen < sizeof(struct sockaddr_in6))
2559 return -EINVAL;
2560 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2561 rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
2562 SMK_CONNECTING);
2563 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2564 break;
2565 }
2566 return rc;
2567 }
2568
2569 /**
2570 * smack_flags_to_may - convert S_ to MAY_ values
2571 * @flags: the S_ value
2572 *
2573 * Returns the equivalent MAY_ value
2574 */
smack_flags_to_may(int flags)2575 static int smack_flags_to_may(int flags)
2576 {
2577 int may = 0;
2578
2579 if (flags & S_IRUGO)
2580 may |= MAY_READ;
2581 if (flags & S_IWUGO)
2582 may |= MAY_WRITE;
2583 if (flags & S_IXUGO)
2584 may |= MAY_EXEC;
2585
2586 return may;
2587 }
2588
2589 /**
2590 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
2591 * @msg: the object
2592 *
2593 * Returns 0
2594 */
smack_msg_msg_alloc_security(struct msg_msg * msg)2595 static int smack_msg_msg_alloc_security(struct msg_msg *msg)
2596 {
2597 struct smack_known *skp = smk_of_current();
2598
2599 msg->security = skp;
2600 return 0;
2601 }
2602
2603 /**
2604 * smack_msg_msg_free_security - Clear the security blob for msg_msg
2605 * @msg: the object
2606 *
2607 * Clears the blob pointer
2608 */
smack_msg_msg_free_security(struct msg_msg * msg)2609 static void smack_msg_msg_free_security(struct msg_msg *msg)
2610 {
2611 msg->security = NULL;
2612 }
2613
2614 /**
2615 * smack_of_shm - the smack pointer for the shm
2616 * @shp: the object
2617 *
2618 * Returns a pointer to the smack value
2619 */
smack_of_shm(struct shmid_kernel * shp)2620 static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
2621 {
2622 return (struct smack_known *)shp->shm_perm.security;
2623 }
2624
2625 /**
2626 * smack_shm_alloc_security - Set the security blob for shm
2627 * @shp: the object
2628 *
2629 * Returns 0
2630 */
smack_shm_alloc_security(struct shmid_kernel * shp)2631 static int smack_shm_alloc_security(struct shmid_kernel *shp)
2632 {
2633 struct kern_ipc_perm *isp = &shp->shm_perm;
2634 struct smack_known *skp = smk_of_current();
2635
2636 isp->security = skp;
2637 return 0;
2638 }
2639
2640 /**
2641 * smack_shm_free_security - Clear the security blob for shm
2642 * @shp: the object
2643 *
2644 * Clears the blob pointer
2645 */
smack_shm_free_security(struct shmid_kernel * shp)2646 static void smack_shm_free_security(struct shmid_kernel *shp)
2647 {
2648 struct kern_ipc_perm *isp = &shp->shm_perm;
2649
2650 isp->security = NULL;
2651 }
2652
2653 /**
2654 * smk_curacc_shm : check if current has access on shm
2655 * @shp : the object
2656 * @access : access requested
2657 *
2658 * Returns 0 if current has the requested access, error code otherwise
2659 */
smk_curacc_shm(struct shmid_kernel * shp,int access)2660 static int smk_curacc_shm(struct shmid_kernel *shp, int access)
2661 {
2662 struct smack_known *ssp = smack_of_shm(shp);
2663 struct smk_audit_info ad;
2664 int rc;
2665
2666 #ifdef CONFIG_AUDIT
2667 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2668 ad.a.u.ipc_id = shp->shm_perm.id;
2669 #endif
2670 rc = smk_curacc(ssp, access, &ad);
2671 rc = smk_bu_current("shm", ssp, access, rc);
2672 return rc;
2673 }
2674
2675 /**
2676 * smack_shm_associate - Smack access check for shm
2677 * @shp: the object
2678 * @shmflg: access requested
2679 *
2680 * Returns 0 if current has the requested access, error code otherwise
2681 */
smack_shm_associate(struct shmid_kernel * shp,int shmflg)2682 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
2683 {
2684 int may;
2685
2686 may = smack_flags_to_may(shmflg);
2687 return smk_curacc_shm(shp, may);
2688 }
2689
2690 /**
2691 * smack_shm_shmctl - Smack access check for shm
2692 * @shp: the object
2693 * @cmd: what it wants to do
2694 *
2695 * Returns 0 if current has the requested access, error code otherwise
2696 */
smack_shm_shmctl(struct shmid_kernel * shp,int cmd)2697 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
2698 {
2699 int may;
2700
2701 switch (cmd) {
2702 case IPC_STAT:
2703 case SHM_STAT:
2704 may = MAY_READ;
2705 break;
2706 case IPC_SET:
2707 case SHM_LOCK:
2708 case SHM_UNLOCK:
2709 case IPC_RMID:
2710 may = MAY_READWRITE;
2711 break;
2712 case IPC_INFO:
2713 case SHM_INFO:
2714 /*
2715 * System level information.
2716 */
2717 return 0;
2718 default:
2719 return -EINVAL;
2720 }
2721 return smk_curacc_shm(shp, may);
2722 }
2723
2724 /**
2725 * smack_shm_shmat - Smack access for shmat
2726 * @shp: the object
2727 * @shmaddr: unused
2728 * @shmflg: access requested
2729 *
2730 * Returns 0 if current has the requested access, error code otherwise
2731 */
smack_shm_shmat(struct shmid_kernel * shp,char __user * shmaddr,int shmflg)2732 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
2733 int shmflg)
2734 {
2735 int may;
2736
2737 may = smack_flags_to_may(shmflg);
2738 return smk_curacc_shm(shp, may);
2739 }
2740
2741 /**
2742 * smack_of_sem - the smack pointer for the sem
2743 * @sma: the object
2744 *
2745 * Returns a pointer to the smack value
2746 */
smack_of_sem(struct sem_array * sma)2747 static struct smack_known *smack_of_sem(struct sem_array *sma)
2748 {
2749 return (struct smack_known *)sma->sem_perm.security;
2750 }
2751
2752 /**
2753 * smack_sem_alloc_security - Set the security blob for sem
2754 * @sma: the object
2755 *
2756 * Returns 0
2757 */
smack_sem_alloc_security(struct sem_array * sma)2758 static int smack_sem_alloc_security(struct sem_array *sma)
2759 {
2760 struct kern_ipc_perm *isp = &sma->sem_perm;
2761 struct smack_known *skp = smk_of_current();
2762
2763 isp->security = skp;
2764 return 0;
2765 }
2766
2767 /**
2768 * smack_sem_free_security - Clear the security blob for sem
2769 * @sma: the object
2770 *
2771 * Clears the blob pointer
2772 */
smack_sem_free_security(struct sem_array * sma)2773 static void smack_sem_free_security(struct sem_array *sma)
2774 {
2775 struct kern_ipc_perm *isp = &sma->sem_perm;
2776
2777 isp->security = NULL;
2778 }
2779
2780 /**
2781 * smk_curacc_sem : check if current has access on sem
2782 * @sma : the object
2783 * @access : access requested
2784 *
2785 * Returns 0 if current has the requested access, error code otherwise
2786 */
smk_curacc_sem(struct sem_array * sma,int access)2787 static int smk_curacc_sem(struct sem_array *sma, int access)
2788 {
2789 struct smack_known *ssp = smack_of_sem(sma);
2790 struct smk_audit_info ad;
2791 int rc;
2792
2793 #ifdef CONFIG_AUDIT
2794 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2795 ad.a.u.ipc_id = sma->sem_perm.id;
2796 #endif
2797 rc = smk_curacc(ssp, access, &ad);
2798 rc = smk_bu_current("sem", ssp, access, rc);
2799 return rc;
2800 }
2801
2802 /**
2803 * smack_sem_associate - Smack access check for sem
2804 * @sma: the object
2805 * @semflg: access requested
2806 *
2807 * Returns 0 if current has the requested access, error code otherwise
2808 */
smack_sem_associate(struct sem_array * sma,int semflg)2809 static int smack_sem_associate(struct sem_array *sma, int semflg)
2810 {
2811 int may;
2812
2813 may = smack_flags_to_may(semflg);
2814 return smk_curacc_sem(sma, may);
2815 }
2816
2817 /**
2818 * smack_sem_shmctl - Smack access check for sem
2819 * @sma: the object
2820 * @cmd: what it wants to do
2821 *
2822 * Returns 0 if current has the requested access, error code otherwise
2823 */
smack_sem_semctl(struct sem_array * sma,int cmd)2824 static int smack_sem_semctl(struct sem_array *sma, int cmd)
2825 {
2826 int may;
2827
2828 switch (cmd) {
2829 case GETPID:
2830 case GETNCNT:
2831 case GETZCNT:
2832 case GETVAL:
2833 case GETALL:
2834 case IPC_STAT:
2835 case SEM_STAT:
2836 may = MAY_READ;
2837 break;
2838 case SETVAL:
2839 case SETALL:
2840 case IPC_RMID:
2841 case IPC_SET:
2842 may = MAY_READWRITE;
2843 break;
2844 case IPC_INFO:
2845 case SEM_INFO:
2846 /*
2847 * System level information
2848 */
2849 return 0;
2850 default:
2851 return -EINVAL;
2852 }
2853
2854 return smk_curacc_sem(sma, may);
2855 }
2856
2857 /**
2858 * smack_sem_semop - Smack checks of semaphore operations
2859 * @sma: the object
2860 * @sops: unused
2861 * @nsops: unused
2862 * @alter: unused
2863 *
2864 * Treated as read and write in all cases.
2865 *
2866 * Returns 0 if access is allowed, error code otherwise
2867 */
smack_sem_semop(struct sem_array * sma,struct sembuf * sops,unsigned nsops,int alter)2868 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
2869 unsigned nsops, int alter)
2870 {
2871 return smk_curacc_sem(sma, MAY_READWRITE);
2872 }
2873
2874 /**
2875 * smack_msg_alloc_security - Set the security blob for msg
2876 * @msq: the object
2877 *
2878 * Returns 0
2879 */
smack_msg_queue_alloc_security(struct msg_queue * msq)2880 static int smack_msg_queue_alloc_security(struct msg_queue *msq)
2881 {
2882 struct kern_ipc_perm *kisp = &msq->q_perm;
2883 struct smack_known *skp = smk_of_current();
2884
2885 kisp->security = skp;
2886 return 0;
2887 }
2888
2889 /**
2890 * smack_msg_free_security - Clear the security blob for msg
2891 * @msq: the object
2892 *
2893 * Clears the blob pointer
2894 */
smack_msg_queue_free_security(struct msg_queue * msq)2895 static void smack_msg_queue_free_security(struct msg_queue *msq)
2896 {
2897 struct kern_ipc_perm *kisp = &msq->q_perm;
2898
2899 kisp->security = NULL;
2900 }
2901
2902 /**
2903 * smack_of_msq - the smack pointer for the msq
2904 * @msq: the object
2905 *
2906 * Returns a pointer to the smack label entry
2907 */
smack_of_msq(struct msg_queue * msq)2908 static struct smack_known *smack_of_msq(struct msg_queue *msq)
2909 {
2910 return (struct smack_known *)msq->q_perm.security;
2911 }
2912
2913 /**
2914 * smk_curacc_msq : helper to check if current has access on msq
2915 * @msq : the msq
2916 * @access : access requested
2917 *
2918 * return 0 if current has access, error otherwise
2919 */
smk_curacc_msq(struct msg_queue * msq,int access)2920 static int smk_curacc_msq(struct msg_queue *msq, int access)
2921 {
2922 struct smack_known *msp = smack_of_msq(msq);
2923 struct smk_audit_info ad;
2924 int rc;
2925
2926 #ifdef CONFIG_AUDIT
2927 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2928 ad.a.u.ipc_id = msq->q_perm.id;
2929 #endif
2930 rc = smk_curacc(msp, access, &ad);
2931 rc = smk_bu_current("msq", msp, access, rc);
2932 return rc;
2933 }
2934
2935 /**
2936 * smack_msg_queue_associate - Smack access check for msg_queue
2937 * @msq: the object
2938 * @msqflg: access requested
2939 *
2940 * Returns 0 if current has the requested access, error code otherwise
2941 */
smack_msg_queue_associate(struct msg_queue * msq,int msqflg)2942 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
2943 {
2944 int may;
2945
2946 may = smack_flags_to_may(msqflg);
2947 return smk_curacc_msq(msq, may);
2948 }
2949
2950 /**
2951 * smack_msg_queue_msgctl - Smack access check for msg_queue
2952 * @msq: the object
2953 * @cmd: what it wants to do
2954 *
2955 * Returns 0 if current has the requested access, error code otherwise
2956 */
smack_msg_queue_msgctl(struct msg_queue * msq,int cmd)2957 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
2958 {
2959 int may;
2960
2961 switch (cmd) {
2962 case IPC_STAT:
2963 case MSG_STAT:
2964 may = MAY_READ;
2965 break;
2966 case IPC_SET:
2967 case IPC_RMID:
2968 may = MAY_READWRITE;
2969 break;
2970 case IPC_INFO:
2971 case MSG_INFO:
2972 /*
2973 * System level information
2974 */
2975 return 0;
2976 default:
2977 return -EINVAL;
2978 }
2979
2980 return smk_curacc_msq(msq, may);
2981 }
2982
2983 /**
2984 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2985 * @msq: the object
2986 * @msg: unused
2987 * @msqflg: access requested
2988 *
2989 * Returns 0 if current has the requested access, error code otherwise
2990 */
smack_msg_queue_msgsnd(struct msg_queue * msq,struct msg_msg * msg,int msqflg)2991 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
2992 int msqflg)
2993 {
2994 int may;
2995
2996 may = smack_flags_to_may(msqflg);
2997 return smk_curacc_msq(msq, may);
2998 }
2999
3000 /**
3001 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3002 * @msq: the object
3003 * @msg: unused
3004 * @target: unused
3005 * @type: unused
3006 * @mode: unused
3007 *
3008 * Returns 0 if current has read and write access, error code otherwise
3009 */
smack_msg_queue_msgrcv(struct msg_queue * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)3010 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3011 struct task_struct *target, long type, int mode)
3012 {
3013 return smk_curacc_msq(msq, MAY_READWRITE);
3014 }
3015
3016 /**
3017 * smack_ipc_permission - Smack access for ipc_permission()
3018 * @ipp: the object permissions
3019 * @flag: access requested
3020 *
3021 * Returns 0 if current has read and write access, error code otherwise
3022 */
smack_ipc_permission(struct kern_ipc_perm * ipp,short flag)3023 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
3024 {
3025 struct smack_known *iskp = ipp->security;
3026 int may = smack_flags_to_may(flag);
3027 struct smk_audit_info ad;
3028 int rc;
3029
3030 #ifdef CONFIG_AUDIT
3031 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3032 ad.a.u.ipc_id = ipp->id;
3033 #endif
3034 rc = smk_curacc(iskp, may, &ad);
3035 rc = smk_bu_current("svipc", iskp, may, rc);
3036 return rc;
3037 }
3038
3039 /**
3040 * smack_ipc_getsecid - Extract smack security id
3041 * @ipp: the object permissions
3042 * @secid: where result will be saved
3043 */
smack_ipc_getsecid(struct kern_ipc_perm * ipp,u32 * secid)3044 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
3045 {
3046 struct smack_known *iskp = ipp->security;
3047
3048 *secid = iskp->smk_secid;
3049 }
3050
3051 /**
3052 * smack_d_instantiate - Make sure the blob is correct on an inode
3053 * @opt_dentry: dentry where inode will be attached
3054 * @inode: the object
3055 *
3056 * Set the inode's security blob if it hasn't been done already.
3057 */
smack_d_instantiate(struct dentry * opt_dentry,struct inode * inode)3058 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3059 {
3060 struct super_block *sbp;
3061 struct superblock_smack *sbsp;
3062 struct inode_smack *isp;
3063 struct smack_known *skp;
3064 struct smack_known *ckp = smk_of_current();
3065 struct smack_known *final;
3066 char trattr[TRANS_TRUE_SIZE];
3067 int transflag = 0;
3068 int rc;
3069 struct dentry *dp;
3070
3071 if (inode == NULL)
3072 return;
3073
3074 isp = inode->i_security;
3075
3076 mutex_lock(&isp->smk_lock);
3077 /*
3078 * If the inode is already instantiated
3079 * take the quick way out
3080 */
3081 if (isp->smk_flags & SMK_INODE_INSTANT)
3082 goto unlockandout;
3083
3084 sbp = inode->i_sb;
3085 sbsp = sbp->s_security;
3086 /*
3087 * We're going to use the superblock default label
3088 * if there's no label on the file.
3089 */
3090 final = sbsp->smk_default;
3091
3092 /*
3093 * If this is the root inode the superblock
3094 * may be in the process of initialization.
3095 * If that is the case use the root value out
3096 * of the superblock.
3097 */
3098 if (opt_dentry->d_parent == opt_dentry) {
3099 switch (sbp->s_magic) {
3100 case CGROUP_SUPER_MAGIC:
3101 /*
3102 * The cgroup filesystem is never mounted,
3103 * so there's no opportunity to set the mount
3104 * options.
3105 */
3106 sbsp->smk_root = &smack_known_star;
3107 sbsp->smk_default = &smack_known_star;
3108 isp->smk_inode = sbsp->smk_root;
3109 break;
3110 case TMPFS_MAGIC:
3111 /*
3112 * What about shmem/tmpfs anonymous files with dentry
3113 * obtained from d_alloc_pseudo()?
3114 */
3115 isp->smk_inode = smk_of_current();
3116 break;
3117 default:
3118 isp->smk_inode = sbsp->smk_root;
3119 break;
3120 }
3121 isp->smk_flags |= SMK_INODE_INSTANT;
3122 goto unlockandout;
3123 }
3124
3125 /*
3126 * This is pretty hackish.
3127 * Casey says that we shouldn't have to do
3128 * file system specific code, but it does help
3129 * with keeping it simple.
3130 */
3131 switch (sbp->s_magic) {
3132 case SMACK_MAGIC:
3133 case PIPEFS_MAGIC:
3134 case SOCKFS_MAGIC:
3135 case CGROUP_SUPER_MAGIC:
3136 /*
3137 * Casey says that it's a little embarrassing
3138 * that the smack file system doesn't do
3139 * extended attributes.
3140 *
3141 * Casey says pipes are easy (?)
3142 *
3143 * Socket access is controlled by the socket
3144 * structures associated with the task involved.
3145 *
3146 * Cgroupfs is special
3147 */
3148 final = &smack_known_star;
3149 break;
3150 case DEVPTS_SUPER_MAGIC:
3151 /*
3152 * devpts seems content with the label of the task.
3153 * Programs that change smack have to treat the
3154 * pty with respect.
3155 */
3156 final = ckp;
3157 break;
3158 case PROC_SUPER_MAGIC:
3159 /*
3160 * Casey says procfs appears not to care.
3161 * The superblock default suffices.
3162 */
3163 break;
3164 case TMPFS_MAGIC:
3165 /*
3166 * Device labels should come from the filesystem,
3167 * but watch out, because they're volitile,
3168 * getting recreated on every reboot.
3169 */
3170 final = &smack_known_star;
3171 /*
3172 * No break.
3173 *
3174 * If a smack value has been set we want to use it,
3175 * but since tmpfs isn't giving us the opportunity
3176 * to set mount options simulate setting the
3177 * superblock default.
3178 */
3179 default:
3180 /*
3181 * This isn't an understood special case.
3182 * Get the value from the xattr.
3183 */
3184
3185 /*
3186 * UNIX domain sockets use lower level socket data.
3187 */
3188 if (S_ISSOCK(inode->i_mode)) {
3189 final = &smack_known_star;
3190 break;
3191 }
3192 /*
3193 * No xattr support means, alas, no SMACK label.
3194 * Use the aforeapplied default.
3195 * It would be curious if the label of the task
3196 * does not match that assigned.
3197 */
3198 if (inode->i_op->getxattr == NULL)
3199 break;
3200 /*
3201 * Get the dentry for xattr.
3202 */
3203 dp = dget(opt_dentry);
3204 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp);
3205 if (skp != NULL)
3206 final = skp;
3207
3208 /*
3209 * Transmuting directory
3210 */
3211 if (S_ISDIR(inode->i_mode)) {
3212 /*
3213 * If this is a new directory and the label was
3214 * transmuted when the inode was initialized
3215 * set the transmute attribute on the directory
3216 * and mark the inode.
3217 *
3218 * If there is a transmute attribute on the
3219 * directory mark the inode.
3220 */
3221 if (isp->smk_flags & SMK_INODE_CHANGED) {
3222 isp->smk_flags &= ~SMK_INODE_CHANGED;
3223 rc = inode->i_op->setxattr(dp,
3224 XATTR_NAME_SMACKTRANSMUTE,
3225 TRANS_TRUE, TRANS_TRUE_SIZE,
3226 0);
3227 } else {
3228 rc = inode->i_op->getxattr(dp,
3229 XATTR_NAME_SMACKTRANSMUTE, trattr,
3230 TRANS_TRUE_SIZE);
3231 if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
3232 TRANS_TRUE_SIZE) != 0)
3233 rc = -EINVAL;
3234 }
3235 if (rc >= 0)
3236 transflag = SMK_INODE_TRANSMUTE;
3237 }
3238 /*
3239 * Don't let the exec or mmap label be "*" or "@".
3240 */
3241 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
3242 if (skp == &smack_known_star || skp == &smack_known_web)
3243 skp = NULL;
3244 isp->smk_task = skp;
3245 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
3246 if (skp == &smack_known_star || skp == &smack_known_web)
3247 skp = NULL;
3248 isp->smk_mmap = skp;
3249
3250 dput(dp);
3251 break;
3252 }
3253
3254 if (final == NULL)
3255 isp->smk_inode = ckp;
3256 else
3257 isp->smk_inode = final;
3258
3259 isp->smk_flags |= (SMK_INODE_INSTANT | transflag);
3260
3261 unlockandout:
3262 mutex_unlock(&isp->smk_lock);
3263 return;
3264 }
3265
3266 /**
3267 * smack_getprocattr - Smack process attribute access
3268 * @p: the object task
3269 * @name: the name of the attribute in /proc/.../attr
3270 * @value: where to put the result
3271 *
3272 * Places a copy of the task Smack into value
3273 *
3274 * Returns the length of the smack label or an error code
3275 */
smack_getprocattr(struct task_struct * p,char * name,char ** value)3276 static int smack_getprocattr(struct task_struct *p, char *name, char **value)
3277 {
3278 struct smack_known *skp = smk_of_task_struct(p);
3279 char *cp;
3280 int slen;
3281
3282 if (strcmp(name, "current") != 0)
3283 return -EINVAL;
3284
3285 cp = kstrdup(skp->smk_known, GFP_KERNEL);
3286 if (cp == NULL)
3287 return -ENOMEM;
3288
3289 slen = strlen(cp);
3290 *value = cp;
3291 return slen;
3292 }
3293
3294 /**
3295 * smack_setprocattr - Smack process attribute setting
3296 * @p: the object task
3297 * @name: the name of the attribute in /proc/.../attr
3298 * @value: the value to set
3299 * @size: the size of the value
3300 *
3301 * Sets the Smack value of the task. Only setting self
3302 * is permitted and only with privilege
3303 *
3304 * Returns the length of the smack label or an error code
3305 */
smack_setprocattr(struct task_struct * p,char * name,void * value,size_t size)3306 static int smack_setprocattr(struct task_struct *p, char *name,
3307 void *value, size_t size)
3308 {
3309 struct task_smack *tsp;
3310 struct cred *new;
3311 struct smack_known *skp;
3312
3313 /*
3314 * Changing another process' Smack value is too dangerous
3315 * and supports no sane use case.
3316 */
3317 if (p != current)
3318 return -EPERM;
3319
3320 if (!smack_privileged(CAP_MAC_ADMIN))
3321 return -EPERM;
3322
3323 if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
3324 return -EINVAL;
3325
3326 if (strcmp(name, "current") != 0)
3327 return -EINVAL;
3328
3329 skp = smk_import_entry(value, size);
3330 if (skp == NULL)
3331 return -EINVAL;
3332
3333 /*
3334 * No process is ever allowed the web ("@") label.
3335 */
3336 if (skp == &smack_known_web)
3337 return -EPERM;
3338
3339 new = prepare_creds();
3340 if (new == NULL)
3341 return -ENOMEM;
3342
3343 tsp = new->security;
3344 tsp->smk_task = skp;
3345
3346 commit_creds(new);
3347 return size;
3348 }
3349
3350 /**
3351 * smack_unix_stream_connect - Smack access on UDS
3352 * @sock: one sock
3353 * @other: the other sock
3354 * @newsk: unused
3355 *
3356 * Return 0 if a subject with the smack of sock could access
3357 * an object with the smack of other, otherwise an error code
3358 */
smack_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)3359 static int smack_unix_stream_connect(struct sock *sock,
3360 struct sock *other, struct sock *newsk)
3361 {
3362 struct smack_known *skp;
3363 struct smack_known *okp;
3364 struct socket_smack *ssp = sock->sk_security;
3365 struct socket_smack *osp = other->sk_security;
3366 struct socket_smack *nsp = newsk->sk_security;
3367 struct smk_audit_info ad;
3368 int rc = 0;
3369 #ifdef CONFIG_AUDIT
3370 struct lsm_network_audit net;
3371 #endif
3372
3373 if (!smack_privileged(CAP_MAC_OVERRIDE)) {
3374 skp = ssp->smk_out;
3375 okp = osp->smk_in;
3376 #ifdef CONFIG_AUDIT
3377 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3378 smk_ad_setfield_u_net_sk(&ad, other);
3379 #endif
3380 rc = smk_access(skp, okp, MAY_WRITE, &ad);
3381 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc);
3382 if (rc == 0) {
3383 okp = osp->smk_out;
3384 skp = ssp->smk_in;
3385 rc = smk_access(okp, skp, MAY_WRITE, &ad);
3386 rc = smk_bu_note("UDS connect", okp, skp,
3387 MAY_WRITE, rc);
3388 }
3389 }
3390
3391 /*
3392 * Cross reference the peer labels for SO_PEERSEC.
3393 */
3394 if (rc == 0) {
3395 nsp->smk_packet = ssp->smk_out;
3396 ssp->smk_packet = osp->smk_out;
3397 }
3398
3399 return rc;
3400 }
3401
3402 /**
3403 * smack_unix_may_send - Smack access on UDS
3404 * @sock: one socket
3405 * @other: the other socket
3406 *
3407 * Return 0 if a subject with the smack of sock could access
3408 * an object with the smack of other, otherwise an error code
3409 */
smack_unix_may_send(struct socket * sock,struct socket * other)3410 static int smack_unix_may_send(struct socket *sock, struct socket *other)
3411 {
3412 struct socket_smack *ssp = sock->sk->sk_security;
3413 struct socket_smack *osp = other->sk->sk_security;
3414 struct smk_audit_info ad;
3415 int rc;
3416
3417 #ifdef CONFIG_AUDIT
3418 struct lsm_network_audit net;
3419
3420 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3421 smk_ad_setfield_u_net_sk(&ad, other->sk);
3422 #endif
3423
3424 if (smack_privileged(CAP_MAC_OVERRIDE))
3425 return 0;
3426
3427 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
3428 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc);
3429 return rc;
3430 }
3431
3432 /**
3433 * smack_socket_sendmsg - Smack check based on destination host
3434 * @sock: the socket
3435 * @msg: the message
3436 * @size: the size of the message
3437 *
3438 * Return 0 if the current subject can write to the destination host.
3439 * For IPv4 this is only a question if the destination is a single label host.
3440 * For IPv6 this is a check against the label of the port.
3441 */
smack_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)3442 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3443 int size)
3444 {
3445 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
3446 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
3447 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
3448 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
3449 int rc = 0;
3450
3451 /*
3452 * Perfectly reasonable for this to be NULL
3453 */
3454 if (sip == NULL)
3455 return 0;
3456
3457 switch (sip->sin_family) {
3458 case AF_INET:
3459 rc = smack_netlabel_send(sock->sk, sip);
3460 break;
3461 case AF_INET6:
3462 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
3463 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
3464 #endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
3465 break;
3466 }
3467 return rc;
3468 }
3469
3470 /**
3471 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3472 * @sap: netlabel secattr
3473 * @ssp: socket security information
3474 *
3475 * Returns a pointer to a Smack label entry found on the label list.
3476 */
smack_from_secattr(struct netlbl_lsm_secattr * sap,struct socket_smack * ssp)3477 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3478 struct socket_smack *ssp)
3479 {
3480 struct smack_known *skp;
3481 int found = 0;
3482 int acat;
3483 int kcat;
3484
3485 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
3486 /*
3487 * Looks like a CIPSO packet.
3488 * If there are flags but no level netlabel isn't
3489 * behaving the way we expect it to.
3490 *
3491 * Look it up in the label table
3492 * Without guidance regarding the smack value
3493 * for the packet fall back on the network
3494 * ambient value.
3495 */
3496 rcu_read_lock();
3497 list_for_each_entry(skp, &smack_known_list, list) {
3498 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
3499 continue;
3500 /*
3501 * Compare the catsets. Use the netlbl APIs.
3502 */
3503 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
3504 if ((skp->smk_netlabel.flags &
3505 NETLBL_SECATTR_MLS_CAT) == 0)
3506 found = 1;
3507 break;
3508 }
3509 for (acat = -1, kcat = -1; acat == kcat; ) {
3510 acat = netlbl_catmap_walk(sap->attr.mls.cat,
3511 acat + 1);
3512 kcat = netlbl_catmap_walk(
3513 skp->smk_netlabel.attr.mls.cat,
3514 kcat + 1);
3515 if (acat < 0 || kcat < 0)
3516 break;
3517 }
3518 if (acat == kcat) {
3519 found = 1;
3520 break;
3521 }
3522 }
3523 rcu_read_unlock();
3524
3525 if (found)
3526 return skp;
3527
3528 if (ssp != NULL && ssp->smk_in == &smack_known_star)
3529 return &smack_known_web;
3530 return &smack_known_star;
3531 }
3532 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) {
3533 /*
3534 * Looks like a fallback, which gives us a secid.
3535 */
3536 skp = smack_from_secid(sap->attr.secid);
3537 /*
3538 * This has got to be a bug because it is
3539 * impossible to specify a fallback without
3540 * specifying the label, which will ensure
3541 * it has a secid, and the only way to get a
3542 * secid is from a fallback.
3543 */
3544 BUG_ON(skp == NULL);
3545 return skp;
3546 }
3547 /*
3548 * Without guidance regarding the smack value
3549 * for the packet fall back on the network
3550 * ambient value.
3551 */
3552 return smack_net_ambient;
3553 }
3554
3555 #if IS_ENABLED(CONFIG_IPV6)
smk_skb_to_addr_ipv6(struct sk_buff * skb,struct sockaddr_in6 * sip)3556 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
3557 {
3558 u8 nexthdr;
3559 int offset;
3560 int proto = -EINVAL;
3561 struct ipv6hdr _ipv6h;
3562 struct ipv6hdr *ip6;
3563 __be16 frag_off;
3564 struct tcphdr _tcph, *th;
3565 struct udphdr _udph, *uh;
3566 struct dccp_hdr _dccph, *dh;
3567
3568 sip->sin6_port = 0;
3569
3570 offset = skb_network_offset(skb);
3571 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3572 if (ip6 == NULL)
3573 return -EINVAL;
3574 sip->sin6_addr = ip6->saddr;
3575
3576 nexthdr = ip6->nexthdr;
3577 offset += sizeof(_ipv6h);
3578 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3579 if (offset < 0)
3580 return -EINVAL;
3581
3582 proto = nexthdr;
3583 switch (proto) {
3584 case IPPROTO_TCP:
3585 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3586 if (th != NULL)
3587 sip->sin6_port = th->source;
3588 break;
3589 case IPPROTO_UDP:
3590 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3591 if (uh != NULL)
3592 sip->sin6_port = uh->source;
3593 break;
3594 case IPPROTO_DCCP:
3595 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3596 if (dh != NULL)
3597 sip->sin6_port = dh->dccph_sport;
3598 break;
3599 }
3600 return proto;
3601 }
3602 #endif /* CONFIG_IPV6 */
3603
3604 /**
3605 * smack_socket_sock_rcv_skb - Smack packet delivery access check
3606 * @sk: socket
3607 * @skb: packet
3608 *
3609 * Returns 0 if the packet should be delivered, an error code otherwise
3610 */
smack_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)3611 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3612 {
3613 struct netlbl_lsm_secattr secattr;
3614 struct socket_smack *ssp = sk->sk_security;
3615 struct smack_known *skp = NULL;
3616 int rc = 0;
3617 struct smk_audit_info ad;
3618 #ifdef CONFIG_AUDIT
3619 struct lsm_network_audit net;
3620 #endif
3621 #if IS_ENABLED(CONFIG_IPV6)
3622 struct sockaddr_in6 sadd;
3623 int proto;
3624 #endif /* CONFIG_IPV6 */
3625
3626 switch (sk->sk_family) {
3627 case PF_INET:
3628 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3629 /*
3630 * If there is a secmark use it rather than the CIPSO label.
3631 * If there is no secmark fall back to CIPSO.
3632 * The secmark is assumed to reflect policy better.
3633 */
3634 if (skb && skb->secmark != 0) {
3635 skp = smack_from_secid(skb->secmark);
3636 goto access_check;
3637 }
3638 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3639 /*
3640 * Translate what netlabel gave us.
3641 */
3642 netlbl_secattr_init(&secattr);
3643
3644 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
3645 if (rc == 0)
3646 skp = smack_from_secattr(&secattr, ssp);
3647 else
3648 skp = smack_net_ambient;
3649
3650 netlbl_secattr_destroy(&secattr);
3651
3652 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3653 access_check:
3654 #endif
3655 #ifdef CONFIG_AUDIT
3656 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3657 ad.a.u.net->family = sk->sk_family;
3658 ad.a.u.net->netif = skb->skb_iif;
3659 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3660 #endif
3661 /*
3662 * Receiving a packet requires that the other end
3663 * be able to write here. Read access is not required.
3664 * This is the simplist possible security model
3665 * for networking.
3666 */
3667 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3668 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3669 MAY_WRITE, rc);
3670 if (rc != 0)
3671 netlbl_skbuff_err(skb, rc, 0);
3672 break;
3673 #if IS_ENABLED(CONFIG_IPV6)
3674 case PF_INET6:
3675 proto = smk_skb_to_addr_ipv6(skb, &sadd);
3676 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
3677 break;
3678 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3679 if (skb && skb->secmark != 0)
3680 skp = smack_from_secid(skb->secmark);
3681 else
3682 skp = smack_net_ambient;
3683 #ifdef CONFIG_AUDIT
3684 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3685 ad.a.u.net->family = sk->sk_family;
3686 ad.a.u.net->netif = skb->skb_iif;
3687 ipv6_skb_to_auditdata(skb, &ad.a, NULL);
3688 #endif /* CONFIG_AUDIT */
3689 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3690 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
3691 MAY_WRITE, rc);
3692 #else /* CONFIG_SECURITY_SMACK_NETFILTER */
3693 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
3694 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3695 break;
3696 #endif /* CONFIG_IPV6 */
3697 }
3698
3699 return rc;
3700 }
3701
3702 /**
3703 * smack_socket_getpeersec_stream - pull in packet label
3704 * @sock: the socket
3705 * @optval: user's destination
3706 * @optlen: size thereof
3707 * @len: max thereof
3708 *
3709 * returns zero on success, an error code otherwise
3710 */
smack_socket_getpeersec_stream(struct socket * sock,char __user * optval,int __user * optlen,unsigned len)3711 static int smack_socket_getpeersec_stream(struct socket *sock,
3712 char __user *optval,
3713 int __user *optlen, unsigned len)
3714 {
3715 struct socket_smack *ssp;
3716 char *rcp = "";
3717 int slen = 1;
3718 int rc = 0;
3719
3720 ssp = sock->sk->sk_security;
3721 if (ssp->smk_packet != NULL) {
3722 rcp = ssp->smk_packet->smk_known;
3723 slen = strlen(rcp) + 1;
3724 }
3725
3726 if (slen > len)
3727 rc = -ERANGE;
3728 else if (copy_to_user(optval, rcp, slen) != 0)
3729 rc = -EFAULT;
3730
3731 if (put_user(slen, optlen) != 0)
3732 rc = -EFAULT;
3733
3734 return rc;
3735 }
3736
3737
3738 /**
3739 * smack_socket_getpeersec_dgram - pull in packet label
3740 * @sock: the peer socket
3741 * @skb: packet data
3742 * @secid: pointer to where to put the secid of the packet
3743 *
3744 * Sets the netlabel socket state on sk from parent
3745 */
smack_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)3746 static int smack_socket_getpeersec_dgram(struct socket *sock,
3747 struct sk_buff *skb, u32 *secid)
3748
3749 {
3750 struct netlbl_lsm_secattr secattr;
3751 struct socket_smack *ssp = NULL;
3752 struct smack_known *skp;
3753 int family = PF_UNSPEC;
3754 u32 s = 0; /* 0 is the invalid secid */
3755 int rc;
3756
3757 if (skb != NULL) {
3758 if (skb->protocol == htons(ETH_P_IP))
3759 family = PF_INET;
3760 #if IS_ENABLED(CONFIG_IPV6)
3761 else if (skb->protocol == htons(ETH_P_IPV6))
3762 family = PF_INET6;
3763 #endif /* CONFIG_IPV6 */
3764 }
3765 if (family == PF_UNSPEC && sock != NULL)
3766 family = sock->sk->sk_family;
3767
3768 switch (family) {
3769 case PF_UNIX:
3770 ssp = sock->sk->sk_security;
3771 s = ssp->smk_out->smk_secid;
3772 break;
3773 case PF_INET:
3774 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3775 s = skb->secmark;
3776 if (s != 0)
3777 break;
3778 #endif
3779 /*
3780 * Translate what netlabel gave us.
3781 */
3782 if (sock != NULL && sock->sk != NULL)
3783 ssp = sock->sk->sk_security;
3784 netlbl_secattr_init(&secattr);
3785 rc = netlbl_skbuff_getattr(skb, family, &secattr);
3786 if (rc == 0) {
3787 skp = smack_from_secattr(&secattr, ssp);
3788 s = skp->smk_secid;
3789 }
3790 netlbl_secattr_destroy(&secattr);
3791 break;
3792 #if IS_ENABLED(CONFIG_IPV6)
3793 case PF_INET6:
3794 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3795 s = skb->secmark;
3796 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3797 break;
3798 #endif /* CONFIG_IPV6 */
3799 }
3800 *secid = s;
3801 if (s == 0)
3802 return -EINVAL;
3803 return 0;
3804 }
3805
3806 /**
3807 * smack_sock_graft - Initialize a newly created socket with an existing sock
3808 * @sk: child sock
3809 * @parent: parent socket
3810 *
3811 * Set the smk_{in,out} state of an existing sock based on the process that
3812 * is creating the new socket.
3813 */
smack_sock_graft(struct sock * sk,struct socket * parent)3814 static void smack_sock_graft(struct sock *sk, struct socket *parent)
3815 {
3816 struct socket_smack *ssp;
3817 struct smack_known *skp = smk_of_current();
3818
3819 if (sk == NULL ||
3820 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
3821 return;
3822
3823 ssp = sk->sk_security;
3824 ssp->smk_in = skp;
3825 ssp->smk_out = skp;
3826 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
3827 }
3828
3829 /**
3830 * smack_inet_conn_request - Smack access check on connect
3831 * @sk: socket involved
3832 * @skb: packet
3833 * @req: unused
3834 *
3835 * Returns 0 if a task with the packet label could write to
3836 * the socket, otherwise an error code
3837 */
smack_inet_conn_request(struct sock * sk,struct sk_buff * skb,struct request_sock * req)3838 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3839 struct request_sock *req)
3840 {
3841 u16 family = sk->sk_family;
3842 struct smack_known *skp;
3843 struct socket_smack *ssp = sk->sk_security;
3844 struct netlbl_lsm_secattr secattr;
3845 struct sockaddr_in addr;
3846 struct iphdr *hdr;
3847 struct smack_known *hskp;
3848 int rc;
3849 struct smk_audit_info ad;
3850 #ifdef CONFIG_AUDIT
3851 struct lsm_network_audit net;
3852 #endif
3853
3854 #if IS_ENABLED(CONFIG_IPV6)
3855 if (family == PF_INET6) {
3856 /*
3857 * Handle mapped IPv4 packets arriving
3858 * via IPv6 sockets. Don't set up netlabel
3859 * processing on IPv6.
3860 */
3861 if (skb->protocol == htons(ETH_P_IP))
3862 family = PF_INET;
3863 else
3864 return 0;
3865 }
3866 #endif /* CONFIG_IPV6 */
3867
3868 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3869 /*
3870 * If there is a secmark use it rather than the CIPSO label.
3871 * If there is no secmark fall back to CIPSO.
3872 * The secmark is assumed to reflect policy better.
3873 */
3874 if (skb && skb->secmark != 0) {
3875 skp = smack_from_secid(skb->secmark);
3876 goto access_check;
3877 }
3878 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3879
3880 netlbl_secattr_init(&secattr);
3881 rc = netlbl_skbuff_getattr(skb, family, &secattr);
3882 if (rc == 0)
3883 skp = smack_from_secattr(&secattr, ssp);
3884 else
3885 skp = &smack_known_huh;
3886 netlbl_secattr_destroy(&secattr);
3887
3888 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3889 access_check:
3890 #endif
3891
3892 #ifdef CONFIG_AUDIT
3893 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3894 ad.a.u.net->family = family;
3895 ad.a.u.net->netif = skb->skb_iif;
3896 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3897 #endif
3898 /*
3899 * Receiving a packet requires that the other end be able to write
3900 * here. Read access is not required.
3901 */
3902 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3903 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc);
3904 if (rc != 0)
3905 return rc;
3906
3907 /*
3908 * Save the peer's label in the request_sock so we can later setup
3909 * smk_packet in the child socket so that SO_PEERCRED can report it.
3910 */
3911 req->peer_secid = skp->smk_secid;
3912
3913 /*
3914 * We need to decide if we want to label the incoming connection here
3915 * if we do we only need to label the request_sock and the stack will
3916 * propagate the wire-label to the sock when it is created.
3917 */
3918 hdr = ip_hdr(skb);
3919 addr.sin_addr.s_addr = hdr->saddr;
3920 rcu_read_lock();
3921 hskp = smack_host_label(&addr);
3922 rcu_read_unlock();
3923
3924 if (hskp == NULL)
3925 rc = netlbl_req_setattr(req, &skp->smk_netlabel);
3926 else
3927 netlbl_req_delattr(req);
3928
3929 return rc;
3930 }
3931
3932 /**
3933 * smack_inet_csk_clone - Copy the connection information to the new socket
3934 * @sk: the new socket
3935 * @req: the connection's request_sock
3936 *
3937 * Transfer the connection's peer label to the newly created socket.
3938 */
smack_inet_csk_clone(struct sock * sk,const struct request_sock * req)3939 static void smack_inet_csk_clone(struct sock *sk,
3940 const struct request_sock *req)
3941 {
3942 struct socket_smack *ssp = sk->sk_security;
3943 struct smack_known *skp;
3944
3945 if (req->peer_secid != 0) {
3946 skp = smack_from_secid(req->peer_secid);
3947 ssp->smk_packet = skp;
3948 } else
3949 ssp->smk_packet = NULL;
3950 }
3951
3952 /*
3953 * Key management security hooks
3954 *
3955 * Casey has not tested key support very heavily.
3956 * The permission check is most likely too restrictive.
3957 * If you care about keys please have a look.
3958 */
3959 #ifdef CONFIG_KEYS
3960
3961 /**
3962 * smack_key_alloc - Set the key security blob
3963 * @key: object
3964 * @cred: the credentials to use
3965 * @flags: unused
3966 *
3967 * No allocation required
3968 *
3969 * Returns 0
3970 */
smack_key_alloc(struct key * key,const struct cred * cred,unsigned long flags)3971 static int smack_key_alloc(struct key *key, const struct cred *cred,
3972 unsigned long flags)
3973 {
3974 struct smack_known *skp = smk_of_task(cred->security);
3975
3976 key->security = skp;
3977 return 0;
3978 }
3979
3980 /**
3981 * smack_key_free - Clear the key security blob
3982 * @key: the object
3983 *
3984 * Clear the blob pointer
3985 */
smack_key_free(struct key * key)3986 static void smack_key_free(struct key *key)
3987 {
3988 key->security = NULL;
3989 }
3990
3991 /**
3992 * smack_key_permission - Smack access on a key
3993 * @key_ref: gets to the object
3994 * @cred: the credentials to use
3995 * @perm: requested key permissions
3996 *
3997 * Return 0 if the task has read and write to the object,
3998 * an error code otherwise
3999 */
smack_key_permission(key_ref_t key_ref,const struct cred * cred,unsigned perm)4000 static int smack_key_permission(key_ref_t key_ref,
4001 const struct cred *cred, unsigned perm)
4002 {
4003 struct key *keyp;
4004 struct smk_audit_info ad;
4005 struct smack_known *tkp = smk_of_task(cred->security);
4006 int request = 0;
4007 int rc;
4008
4009 keyp = key_ref_to_ptr(key_ref);
4010 if (keyp == NULL)
4011 return -EINVAL;
4012 /*
4013 * If the key hasn't been initialized give it access so that
4014 * it may do so.
4015 */
4016 if (keyp->security == NULL)
4017 return 0;
4018 /*
4019 * This should not occur
4020 */
4021 if (tkp == NULL)
4022 return -EACCES;
4023 #ifdef CONFIG_AUDIT
4024 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
4025 ad.a.u.key_struct.key = keyp->serial;
4026 ad.a.u.key_struct.key_desc = keyp->description;
4027 #endif
4028 if (perm & KEY_NEED_READ)
4029 request = MAY_READ;
4030 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
4031 request = MAY_WRITE;
4032 rc = smk_access(tkp, keyp->security, request, &ad);
4033 rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
4034 return rc;
4035 }
4036
4037 /*
4038 * smack_key_getsecurity - Smack label tagging the key
4039 * @key points to the key to be queried
4040 * @_buffer points to a pointer that should be set to point to the
4041 * resulting string (if no label or an error occurs).
4042 * Return the length of the string (including terminating NUL) or -ve if
4043 * an error.
4044 * May also return 0 (and a NULL buffer pointer) if there is no label.
4045 */
smack_key_getsecurity(struct key * key,char ** _buffer)4046 static int smack_key_getsecurity(struct key *key, char **_buffer)
4047 {
4048 struct smack_known *skp = key->security;
4049 size_t length;
4050 char *copy;
4051
4052 if (key->security == NULL) {
4053 *_buffer = NULL;
4054 return 0;
4055 }
4056
4057 copy = kstrdup(skp->smk_known, GFP_KERNEL);
4058 if (copy == NULL)
4059 return -ENOMEM;
4060 length = strlen(copy) + 1;
4061
4062 *_buffer = copy;
4063 return length;
4064 }
4065
4066 #endif /* CONFIG_KEYS */
4067
4068 /*
4069 * Smack Audit hooks
4070 *
4071 * Audit requires a unique representation of each Smack specific
4072 * rule. This unique representation is used to distinguish the
4073 * object to be audited from remaining kernel objects and also
4074 * works as a glue between the audit hooks.
4075 *
4076 * Since repository entries are added but never deleted, we'll use
4077 * the smack_known label address related to the given audit rule as
4078 * the needed unique representation. This also better fits the smack
4079 * model where nearly everything is a label.
4080 */
4081 #ifdef CONFIG_AUDIT
4082
4083 /**
4084 * smack_audit_rule_init - Initialize a smack audit rule
4085 * @field: audit rule fields given from user-space (audit.h)
4086 * @op: required testing operator (=, !=, >, <, ...)
4087 * @rulestr: smack label to be audited
4088 * @vrule: pointer to save our own audit rule representation
4089 *
4090 * Prepare to audit cases where (@field @op @rulestr) is true.
4091 * The label to be audited is created if necessay.
4092 */
smack_audit_rule_init(u32 field,u32 op,char * rulestr,void ** vrule)4093 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
4094 {
4095 struct smack_known *skp;
4096 char **rule = (char **)vrule;
4097 *rule = NULL;
4098
4099 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4100 return -EINVAL;
4101
4102 if (op != Audit_equal && op != Audit_not_equal)
4103 return -EINVAL;
4104
4105 skp = smk_import_entry(rulestr, 0);
4106 if (skp)
4107 *rule = skp->smk_known;
4108
4109 return 0;
4110 }
4111
4112 /**
4113 * smack_audit_rule_known - Distinguish Smack audit rules
4114 * @krule: rule of interest, in Audit kernel representation format
4115 *
4116 * This is used to filter Smack rules from remaining Audit ones.
4117 * If it's proved that this rule belongs to us, the
4118 * audit_rule_match hook will be called to do the final judgement.
4119 */
smack_audit_rule_known(struct audit_krule * krule)4120 static int smack_audit_rule_known(struct audit_krule *krule)
4121 {
4122 struct audit_field *f;
4123 int i;
4124
4125 for (i = 0; i < krule->field_count; i++) {
4126 f = &krule->fields[i];
4127
4128 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER)
4129 return 1;
4130 }
4131
4132 return 0;
4133 }
4134
4135 /**
4136 * smack_audit_rule_match - Audit given object ?
4137 * @secid: security id for identifying the object to test
4138 * @field: audit rule flags given from user-space
4139 * @op: required testing operator
4140 * @vrule: smack internal rule presentation
4141 * @actx: audit context associated with the check
4142 *
4143 * The core Audit hook. It's used to take the decision of
4144 * whether to audit or not to audit a given object.
4145 */
smack_audit_rule_match(u32 secid,u32 field,u32 op,void * vrule,struct audit_context * actx)4146 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
4147 struct audit_context *actx)
4148 {
4149 struct smack_known *skp;
4150 char *rule = vrule;
4151
4152 if (unlikely(!rule)) {
4153 WARN_ONCE(1, "Smack: missing rule\n");
4154 return -ENOENT;
4155 }
4156
4157 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4158 return 0;
4159
4160 skp = smack_from_secid(secid);
4161
4162 /*
4163 * No need to do string comparisons. If a match occurs,
4164 * both pointers will point to the same smack_known
4165 * label.
4166 */
4167 if (op == Audit_equal)
4168 return (rule == skp->smk_known);
4169 if (op == Audit_not_equal)
4170 return (rule != skp->smk_known);
4171
4172 return 0;
4173 }
4174
4175 /**
4176 * smack_audit_rule_free - free smack rule representation
4177 * @vrule: rule to be freed.
4178 *
4179 * No memory was allocated.
4180 */
smack_audit_rule_free(void * vrule)4181 static void smack_audit_rule_free(void *vrule)
4182 {
4183 /* No-op */
4184 }
4185
4186 #endif /* CONFIG_AUDIT */
4187
4188 /**
4189 * smack_ismaclabel - check if xattr @name references a smack MAC label
4190 * @name: Full xattr name to check.
4191 */
smack_ismaclabel(const char * name)4192 static int smack_ismaclabel(const char *name)
4193 {
4194 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
4195 }
4196
4197
4198 /**
4199 * smack_secid_to_secctx - return the smack label for a secid
4200 * @secid: incoming integer
4201 * @secdata: destination
4202 * @seclen: how long it is
4203 *
4204 * Exists for networking code.
4205 */
smack_secid_to_secctx(u32 secid,char ** secdata,u32 * seclen)4206 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4207 {
4208 struct smack_known *skp = smack_from_secid(secid);
4209
4210 if (secdata)
4211 *secdata = skp->smk_known;
4212 *seclen = strlen(skp->smk_known);
4213 return 0;
4214 }
4215
4216 /**
4217 * smack_secctx_to_secid - return the secid for a smack label
4218 * @secdata: smack label
4219 * @seclen: how long result is
4220 * @secid: outgoing integer
4221 *
4222 * Exists for audit and networking code.
4223 */
smack_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)4224 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
4225 {
4226 struct smack_known *skp = smk_find_entry(secdata);
4227
4228 if (skp)
4229 *secid = skp->smk_secid;
4230 else
4231 *secid = 0;
4232 return 0;
4233 }
4234
4235 /**
4236 * smack_release_secctx - don't do anything.
4237 * @secdata: unused
4238 * @seclen: unused
4239 *
4240 * Exists to make sure nothing gets done, and properly
4241 */
smack_release_secctx(char * secdata,u32 seclen)4242 static void smack_release_secctx(char *secdata, u32 seclen)
4243 {
4244 }
4245
smack_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)4246 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
4247 {
4248 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
4249 }
4250
smack_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)4251 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
4252 {
4253 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
4254 }
4255
smack_inode_getsecctx(struct inode * inode,void ** ctx,u32 * ctxlen)4256 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
4257 {
4258 int len = 0;
4259 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true);
4260
4261 if (len < 0)
4262 return len;
4263 *ctxlen = len;
4264 return 0;
4265 }
4266
4267 struct security_operations smack_ops = {
4268 .name = "smack",
4269
4270 .ptrace_access_check = smack_ptrace_access_check,
4271 .ptrace_traceme = smack_ptrace_traceme,
4272 .syslog = smack_syslog,
4273
4274 .sb_alloc_security = smack_sb_alloc_security,
4275 .sb_free_security = smack_sb_free_security,
4276 .sb_copy_data = smack_sb_copy_data,
4277 .sb_kern_mount = smack_sb_kern_mount,
4278 .sb_statfs = smack_sb_statfs,
4279
4280 .bprm_set_creds = smack_bprm_set_creds,
4281 .bprm_committing_creds = smack_bprm_committing_creds,
4282 .bprm_secureexec = smack_bprm_secureexec,
4283
4284 .inode_alloc_security = smack_inode_alloc_security,
4285 .inode_free_security = smack_inode_free_security,
4286 .inode_init_security = smack_inode_init_security,
4287 .inode_link = smack_inode_link,
4288 .inode_unlink = smack_inode_unlink,
4289 .inode_rmdir = smack_inode_rmdir,
4290 .inode_rename = smack_inode_rename,
4291 .inode_permission = smack_inode_permission,
4292 .inode_setattr = smack_inode_setattr,
4293 .inode_getattr = smack_inode_getattr,
4294 .inode_setxattr = smack_inode_setxattr,
4295 .inode_post_setxattr = smack_inode_post_setxattr,
4296 .inode_getxattr = smack_inode_getxattr,
4297 .inode_removexattr = smack_inode_removexattr,
4298 .inode_getsecurity = smack_inode_getsecurity,
4299 .inode_setsecurity = smack_inode_setsecurity,
4300 .inode_listsecurity = smack_inode_listsecurity,
4301 .inode_getsecid = smack_inode_getsecid,
4302
4303 .file_permission = smack_file_permission,
4304 .file_alloc_security = smack_file_alloc_security,
4305 .file_free_security = smack_file_free_security,
4306 .file_ioctl = smack_file_ioctl,
4307 .file_lock = smack_file_lock,
4308 .file_fcntl = smack_file_fcntl,
4309 .mmap_file = smack_mmap_file,
4310 .mmap_addr = cap_mmap_addr,
4311 .file_set_fowner = smack_file_set_fowner,
4312 .file_send_sigiotask = smack_file_send_sigiotask,
4313 .file_receive = smack_file_receive,
4314
4315 .file_open = smack_file_open,
4316
4317 .cred_alloc_blank = smack_cred_alloc_blank,
4318 .cred_free = smack_cred_free,
4319 .cred_prepare = smack_cred_prepare,
4320 .cred_transfer = smack_cred_transfer,
4321 .kernel_act_as = smack_kernel_act_as,
4322 .kernel_create_files_as = smack_kernel_create_files_as,
4323 .task_setpgid = smack_task_setpgid,
4324 .task_getpgid = smack_task_getpgid,
4325 .task_getsid = smack_task_getsid,
4326 .task_getsecid = smack_task_getsecid,
4327 .task_setnice = smack_task_setnice,
4328 .task_setioprio = smack_task_setioprio,
4329 .task_getioprio = smack_task_getioprio,
4330 .task_setscheduler = smack_task_setscheduler,
4331 .task_getscheduler = smack_task_getscheduler,
4332 .task_movememory = smack_task_movememory,
4333 .task_kill = smack_task_kill,
4334 .task_wait = smack_task_wait,
4335 .task_to_inode = smack_task_to_inode,
4336
4337 .ipc_permission = smack_ipc_permission,
4338 .ipc_getsecid = smack_ipc_getsecid,
4339
4340 .msg_msg_alloc_security = smack_msg_msg_alloc_security,
4341 .msg_msg_free_security = smack_msg_msg_free_security,
4342
4343 .msg_queue_alloc_security = smack_msg_queue_alloc_security,
4344 .msg_queue_free_security = smack_msg_queue_free_security,
4345 .msg_queue_associate = smack_msg_queue_associate,
4346 .msg_queue_msgctl = smack_msg_queue_msgctl,
4347 .msg_queue_msgsnd = smack_msg_queue_msgsnd,
4348 .msg_queue_msgrcv = smack_msg_queue_msgrcv,
4349
4350 .shm_alloc_security = smack_shm_alloc_security,
4351 .shm_free_security = smack_shm_free_security,
4352 .shm_associate = smack_shm_associate,
4353 .shm_shmctl = smack_shm_shmctl,
4354 .shm_shmat = smack_shm_shmat,
4355
4356 .sem_alloc_security = smack_sem_alloc_security,
4357 .sem_free_security = smack_sem_free_security,
4358 .sem_associate = smack_sem_associate,
4359 .sem_semctl = smack_sem_semctl,
4360 .sem_semop = smack_sem_semop,
4361
4362 .d_instantiate = smack_d_instantiate,
4363
4364 .getprocattr = smack_getprocattr,
4365 .setprocattr = smack_setprocattr,
4366
4367 .unix_stream_connect = smack_unix_stream_connect,
4368 .unix_may_send = smack_unix_may_send,
4369
4370 .socket_post_create = smack_socket_post_create,
4371 #ifndef CONFIG_SECURITY_SMACK_NETFILTER
4372 .socket_bind = smack_socket_bind,
4373 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
4374 .socket_connect = smack_socket_connect,
4375 .socket_sendmsg = smack_socket_sendmsg,
4376 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb,
4377 .socket_getpeersec_stream = smack_socket_getpeersec_stream,
4378 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram,
4379 .sk_alloc_security = smack_sk_alloc_security,
4380 .sk_free_security = smack_sk_free_security,
4381 .sock_graft = smack_sock_graft,
4382 .inet_conn_request = smack_inet_conn_request,
4383 .inet_csk_clone = smack_inet_csk_clone,
4384
4385 /* key management security hooks */
4386 #ifdef CONFIG_KEYS
4387 .key_alloc = smack_key_alloc,
4388 .key_free = smack_key_free,
4389 .key_permission = smack_key_permission,
4390 .key_getsecurity = smack_key_getsecurity,
4391 #endif /* CONFIG_KEYS */
4392
4393 /* Audit hooks */
4394 #ifdef CONFIG_AUDIT
4395 .audit_rule_init = smack_audit_rule_init,
4396 .audit_rule_known = smack_audit_rule_known,
4397 .audit_rule_match = smack_audit_rule_match,
4398 .audit_rule_free = smack_audit_rule_free,
4399 #endif /* CONFIG_AUDIT */
4400
4401 .ismaclabel = smack_ismaclabel,
4402 .secid_to_secctx = smack_secid_to_secctx,
4403 .secctx_to_secid = smack_secctx_to_secid,
4404 .release_secctx = smack_release_secctx,
4405 .inode_notifysecctx = smack_inode_notifysecctx,
4406 .inode_setsecctx = smack_inode_setsecctx,
4407 .inode_getsecctx = smack_inode_getsecctx,
4408 };
4409
4410
init_smack_known_list(void)4411 static __init void init_smack_known_list(void)
4412 {
4413 /*
4414 * Initialize rule list locks
4415 */
4416 mutex_init(&smack_known_huh.smk_rules_lock);
4417 mutex_init(&smack_known_hat.smk_rules_lock);
4418 mutex_init(&smack_known_floor.smk_rules_lock);
4419 mutex_init(&smack_known_star.smk_rules_lock);
4420 mutex_init(&smack_known_invalid.smk_rules_lock);
4421 mutex_init(&smack_known_web.smk_rules_lock);
4422 /*
4423 * Initialize rule lists
4424 */
4425 INIT_LIST_HEAD(&smack_known_huh.smk_rules);
4426 INIT_LIST_HEAD(&smack_known_hat.smk_rules);
4427 INIT_LIST_HEAD(&smack_known_star.smk_rules);
4428 INIT_LIST_HEAD(&smack_known_floor.smk_rules);
4429 INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
4430 INIT_LIST_HEAD(&smack_known_web.smk_rules);
4431 /*
4432 * Create the known labels list
4433 */
4434 smk_insert_entry(&smack_known_huh);
4435 smk_insert_entry(&smack_known_hat);
4436 smk_insert_entry(&smack_known_star);
4437 smk_insert_entry(&smack_known_floor);
4438 smk_insert_entry(&smack_known_invalid);
4439 smk_insert_entry(&smack_known_web);
4440 }
4441
4442 /**
4443 * smack_init - initialize the smack system
4444 *
4445 * Returns 0
4446 */
smack_init(void)4447 static __init int smack_init(void)
4448 {
4449 struct cred *cred;
4450 struct task_smack *tsp;
4451
4452 if (!security_module_enable(&smack_ops))
4453 return 0;
4454
4455 smack_enabled = 1;
4456
4457 smack_inode_cache = KMEM_CACHE(inode_smack, 0);
4458 if (!smack_inode_cache)
4459 return -ENOMEM;
4460
4461 tsp = new_task_smack(&smack_known_floor, &smack_known_floor,
4462 GFP_KERNEL);
4463 if (tsp == NULL) {
4464 kmem_cache_destroy(smack_inode_cache);
4465 return -ENOMEM;
4466 }
4467
4468 printk(KERN_INFO "Smack: Initializing.\n");
4469
4470 /*
4471 * Set the security state for the initial task.
4472 */
4473 cred = (struct cred *) current->cred;
4474 cred->security = tsp;
4475
4476 /* initialize the smack_known_list */
4477 init_smack_known_list();
4478
4479 /*
4480 * Register with LSM
4481 */
4482 if (register_security(&smack_ops))
4483 panic("smack: Unable to register with kernel.\n");
4484
4485 return 0;
4486 }
4487
4488 /*
4489 * Smack requires early initialization in order to label
4490 * all processes and objects when they are created.
4491 */
4492 security_initcall(smack_init);
4493