root/security/smack/smack.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM

DEFINITIONS

This source file includes following definitions.
  1. smack_cred
  2. smack_file
  3. smack_inode
  4. smack_msg_msg
  5. smack_ipc
  6. smk_inode_transmutable
  7. smk_of_inode
  8. smk_of_task
  9. smk_of_task_struct
  10. smk_of_forked
  11. smk_of_current
  12. smk_ad_init
  13. smk_ad_init_net
  14. smk_ad_setfield_u_tsk
  15. smk_ad_setfield_u_fs_path_dentry
  16. smk_ad_setfield_u_fs_inode
  17. smk_ad_setfield_u_fs_path
  18. smk_ad_setfield_u_net_sk
  19. smk_ad_init
  20. smk_ad_setfield_u_tsk
  21. smk_ad_setfield_u_fs_path_dentry
  22. smk_ad_setfield_u_fs_path_mnt
  23. smk_ad_setfield_u_fs_inode
  24. smk_ad_setfield_u_fs_path
  25. smk_ad_setfield_u_net_sk
   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
   4  *
   5  * Author:
   6  *      Casey Schaufler <casey@schaufler-ca.com>
   7  */
   8 
   9 #ifndef _SECURITY_SMACK_H
  10 #define _SECURITY_SMACK_H
  11 
  12 #include <linux/capability.h>
  13 #include <linux/spinlock.h>
  14 #include <linux/lsm_hooks.h>
  15 #include <linux/in.h>
  16 #if IS_ENABLED(CONFIG_IPV6)
  17 #include <linux/in6.h>
  18 #endif /* CONFIG_IPV6 */
  19 #include <net/netlabel.h>
  20 #include <linux/list.h>
  21 #include <linux/rculist.h>
  22 #include <linux/lsm_audit.h>
  23 #include <linux/msg.h>
  24 
  25 /*
  26  * Use IPv6 port labeling if IPv6 is enabled and secmarks
  27  * are not being used.
  28  */
  29 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
  30 #define SMACK_IPV6_PORT_LABELING 1
  31 #endif
  32 
  33 #if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)
  34 #define SMACK_IPV6_SECMARK_LABELING 1
  35 #endif
  36 
  37 /*
  38  * Smack labels were limited to 23 characters for a long time.
  39  */
  40 #define SMK_LABELLEN    24
  41 #define SMK_LONGLABEL   256
  42 
  43 /*
  44  * This is the repository for labels seen so that it is
  45  * not necessary to keep allocating tiny chuncks of memory
  46  * and so that they can be shared.
  47  *
  48  * Labels are never modified in place. Anytime a label
  49  * is imported (e.g. xattrset on a file) the list is checked
  50  * for it and it is added if it doesn't exist. The address
  51  * is passed out in either case. Entries are added, but
  52  * never deleted.
  53  *
  54  * Since labels are hanging around anyway it doesn't
  55  * hurt to maintain a secid for those awkward situations
  56  * where kernel components that ought to use LSM independent
  57  * interfaces don't. The secid should go away when all of
  58  * these components have been repaired.
  59  *
  60  * The cipso value associated with the label gets stored here, too.
  61  *
  62  * Keep the access rules for this subject label here so that
  63  * the entire set of rules does not need to be examined every
  64  * time.
  65  */
  66 struct smack_known {
  67         struct list_head                list;
  68         struct hlist_node               smk_hashed;
  69         char                            *smk_known;
  70         u32                             smk_secid;
  71         struct netlbl_lsm_secattr       smk_netlabel;   /* on wire labels */
  72         struct list_head                smk_rules;      /* access rules */
  73         struct mutex                    smk_rules_lock; /* lock for rules */
  74 };
  75 
  76 /*
  77  * Maximum number of bytes for the levels in a CIPSO IP option.
  78  * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
  79  * bigger than can be used, and 24 is the next lower multiple
  80  * of 8, and there are too many issues if there isn't space set
  81  * aside for the terminating null byte.
  82  */
  83 #define SMK_CIPSOLEN    24
  84 
  85 struct superblock_smack {
  86         struct smack_known      *smk_root;
  87         struct smack_known      *smk_floor;
  88         struct smack_known      *smk_hat;
  89         struct smack_known      *smk_default;
  90         int                     smk_flags;
  91 };
  92 
  93 /*
  94  * Superblock flags
  95  */
  96 #define SMK_SB_INITIALIZED      0x01
  97 #define SMK_SB_UNTRUSTED        0x02
  98 
  99 struct socket_smack {
 100         struct smack_known      *smk_out;       /* outbound label */
 101         struct smack_known      *smk_in;        /* inbound label */
 102         struct smack_known      *smk_packet;    /* TCP peer label */
 103 };
 104 
 105 /*
 106  * Inode smack data
 107  */
 108 struct inode_smack {
 109         struct smack_known      *smk_inode;     /* label of the fso */
 110         struct smack_known      *smk_task;      /* label of the task */
 111         struct smack_known      *smk_mmap;      /* label of the mmap domain */
 112         struct mutex            smk_lock;       /* initialization lock */
 113         int                     smk_flags;      /* smack inode flags */
 114         struct rcu_head         smk_rcu;        /* for freeing inode_smack */
 115 };
 116 
 117 struct task_smack {
 118         struct smack_known      *smk_task;      /* label for access control */
 119         struct smack_known      *smk_forked;    /* label when forked */
 120         struct list_head        smk_rules;      /* per task access rules */
 121         struct mutex            smk_rules_lock; /* lock for the rules */
 122         struct list_head        smk_relabel;    /* transit allowed labels */
 123 };
 124 
 125 #define SMK_INODE_INSTANT       0x01    /* inode is instantiated */
 126 #define SMK_INODE_TRANSMUTE     0x02    /* directory is transmuting */
 127 #define SMK_INODE_CHANGED       0x04    /* smack was transmuted */
 128 #define SMK_INODE_IMPURE        0x08    /* involved in an impure transaction */
 129 
 130 /*
 131  * A label access rule.
 132  */
 133 struct smack_rule {
 134         struct list_head        list;
 135         struct smack_known      *smk_subject;
 136         struct smack_known      *smk_object;
 137         int                     smk_access;
 138 };
 139 
 140 /*
 141  * An entry in the table identifying IPv4 hosts.
 142  */
 143 struct smk_net4addr {
 144         struct list_head        list;
 145         struct in_addr          smk_host;       /* network address */
 146         struct in_addr          smk_mask;       /* network mask */
 147         int                     smk_masks;      /* mask size */
 148         struct smack_known      *smk_label;     /* label */
 149 };
 150 
 151 /*
 152  * An entry in the table identifying IPv6 hosts.
 153  */
 154 struct smk_net6addr {
 155         struct list_head        list;
 156         struct in6_addr         smk_host;       /* network address */
 157         struct in6_addr         smk_mask;       /* network mask */
 158         int                     smk_masks;      /* mask size */
 159         struct smack_known      *smk_label;     /* label */
 160 };
 161 
 162 /*
 163  * An entry in the table identifying ports.
 164  */
 165 struct smk_port_label {
 166         struct list_head        list;
 167         struct sock             *smk_sock;      /* socket initialized on */
 168         unsigned short          smk_port;       /* the port number */
 169         struct smack_known      *smk_in;        /* inbound label */
 170         struct smack_known      *smk_out;       /* outgoing label */
 171         short                   smk_sock_type;  /* Socket type */
 172         short                   smk_can_reuse;
 173 };
 174 
 175 struct smack_known_list_elem {
 176         struct list_head        list;
 177         struct smack_known      *smk_label;
 178 };
 179 
 180 /* Super block security struct flags for mount options */
 181 #define FSDEFAULT_MNT   0x01
 182 #define FSFLOOR_MNT     0x02
 183 #define FSHAT_MNT       0x04
 184 #define FSROOT_MNT      0x08
 185 #define FSTRANS_MNT     0x10
 186 
 187 #define NUM_SMK_MNT_OPTS        5
 188 
 189 enum {
 190         Opt_error = -1,
 191         Opt_fsdefault = 0,
 192         Opt_fsfloor = 1,
 193         Opt_fshat = 2,
 194         Opt_fsroot = 3,
 195         Opt_fstransmute = 4,
 196 };
 197 
 198 #define SMACK_DELETE_OPTION     "-DELETE"
 199 #define SMACK_CIPSO_OPTION      "-CIPSO"
 200 
 201 /*
 202  * How communications on this socket are treated.
 203  * Usually it's determined by the underlying netlabel code
 204  * but there are certain cases, including single label hosts
 205  * and potentially single label interfaces for which the
 206  * treatment can not be known in advance.
 207  *
 208  * The possibility of additional labeling schemes being
 209  * introduced in the future exists as well.
 210  */
 211 #define SMACK_UNLABELED_SOCKET  0
 212 #define SMACK_CIPSO_SOCKET      1
 213 
 214 /*
 215  * CIPSO defaults.
 216  */
 217 #define SMACK_CIPSO_DOI_DEFAULT         3       /* Historical */
 218 #define SMACK_CIPSO_DOI_INVALID         -1      /* Not a DOI */
 219 #define SMACK_CIPSO_DIRECT_DEFAULT      250     /* Arbitrary */
 220 #define SMACK_CIPSO_MAPPED_DEFAULT      251     /* Also arbitrary */
 221 #define SMACK_CIPSO_MAXLEVEL            255     /* CIPSO 2.2 standard */
 222 /*
 223  * CIPSO 2.2 standard is 239, but Smack wants to use the
 224  * categories in a structured way that limits the value to
 225  * the bits in 23 bytes, hence the unusual number.
 226  */
 227 #define SMACK_CIPSO_MAXCATNUM           184     /* 23 * 8 */
 228 
 229 /*
 230  * Ptrace rules
 231  */
 232 #define SMACK_PTRACE_DEFAULT    0
 233 #define SMACK_PTRACE_EXACT      1
 234 #define SMACK_PTRACE_DRACONIAN  2
 235 #define SMACK_PTRACE_MAX        SMACK_PTRACE_DRACONIAN
 236 
 237 /*
 238  * Flags for untraditional access modes.
 239  * It shouldn't be necessary to avoid conflicts with definitions
 240  * in fs.h, but do so anyway.
 241  */
 242 #define MAY_TRANSMUTE   0x00001000      /* Controls directory labeling */
 243 #define MAY_LOCK        0x00002000      /* Locks should be writes, but ... */
 244 #define MAY_BRINGUP     0x00004000      /* Report use of this rule */
 245 
 246 /*
 247  * The policy for delivering signals is configurable.
 248  * It is usually "write", but can be "append".
 249  */
 250 #ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
 251 #define MAY_DELIVER     MAY_APPEND      /* Signal delivery requires append */
 252 #else
 253 #define MAY_DELIVER     MAY_WRITE       /* Signal delivery requires write */
 254 #endif
 255 
 256 #define SMACK_BRINGUP_ALLOW             1       /* Allow bringup mode */
 257 #define SMACK_UNCONFINED_SUBJECT        2       /* Allow unconfined label */
 258 #define SMACK_UNCONFINED_OBJECT         3       /* Allow unconfined label */
 259 
 260 /*
 261  * Just to make the common cases easier to deal with
 262  */
 263 #define MAY_ANYREAD     (MAY_READ | MAY_EXEC)
 264 #define MAY_READWRITE   (MAY_READ | MAY_WRITE)
 265 #define MAY_NOT         0
 266 
 267 /*
 268  * Number of access types used by Smack (rwxatlb)
 269  */
 270 #define SMK_NUM_ACCESS_TYPE 7
 271 
 272 /* SMACK data */
 273 struct smack_audit_data {
 274         const char *function;
 275         char *subject;
 276         char *object;
 277         char *request;
 278         int result;
 279 };
 280 
 281 /*
 282  * Smack audit data; is empty if CONFIG_AUDIT not set
 283  * to save some stack
 284  */
 285 struct smk_audit_info {
 286 #ifdef CONFIG_AUDIT
 287         struct common_audit_data a;
 288         struct smack_audit_data sad;
 289 #endif
 290 };
 291 
 292 /*
 293  * These functions are in smack_access.c
 294  */
 295 int smk_access_entry(char *, char *, struct list_head *);
 296 int smk_access(struct smack_known *, struct smack_known *,
 297                int, struct smk_audit_info *);
 298 int smk_tskacc(struct task_smack *, struct smack_known *,
 299                u32, struct smk_audit_info *);
 300 int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
 301 struct smack_known *smack_from_secid(const u32);
 302 char *smk_parse_smack(const char *string, int len);
 303 int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
 304 struct smack_known *smk_import_entry(const char *, int);
 305 void smk_insert_entry(struct smack_known *skp);
 306 struct smack_known *smk_find_entry(const char *);
 307 bool smack_privileged(int cap);
 308 bool smack_privileged_cred(int cap, const struct cred *cred);
 309 void smk_destroy_label_list(struct list_head *list);
 310 
 311 /*
 312  * Shared data.
 313  */
 314 extern int smack_enabled;
 315 extern int smack_cipso_direct;
 316 extern int smack_cipso_mapped;
 317 extern struct smack_known *smack_net_ambient;
 318 extern struct smack_known *smack_syslog_label;
 319 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 320 extern struct smack_known *smack_unconfined;
 321 #endif
 322 extern int smack_ptrace_rule;
 323 extern struct lsm_blob_sizes smack_blob_sizes;
 324 
 325 extern struct smack_known smack_known_floor;
 326 extern struct smack_known smack_known_hat;
 327 extern struct smack_known smack_known_huh;
 328 extern struct smack_known smack_known_star;
 329 extern struct smack_known smack_known_web;
 330 
 331 extern struct mutex     smack_known_lock;
 332 extern struct list_head smack_known_list;
 333 extern struct list_head smk_net4addr_list;
 334 extern struct list_head smk_net6addr_list;
 335 
 336 extern struct mutex     smack_onlycap_lock;
 337 extern struct list_head smack_onlycap_list;
 338 
 339 #define SMACK_HASH_SLOTS 16
 340 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
 341 extern struct kmem_cache *smack_rule_cache;
 342 
 343 static inline struct task_smack *smack_cred(const struct cred *cred)
 344 {
 345         return cred->security + smack_blob_sizes.lbs_cred;
 346 }
 347 
 348 static inline struct smack_known **smack_file(const struct file *file)
 349 {
 350         return (struct smack_known **)(file->f_security +
 351                                        smack_blob_sizes.lbs_file);
 352 }
 353 
 354 static inline struct inode_smack *smack_inode(const struct inode *inode)
 355 {
 356         return inode->i_security + smack_blob_sizes.lbs_inode;
 357 }
 358 
 359 static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg)
 360 {
 361         return msg->security + smack_blob_sizes.lbs_msg_msg;
 362 }
 363 
 364 static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc)
 365 {
 366         return ipc->security + smack_blob_sizes.lbs_ipc;
 367 }
 368 
 369 /*
 370  * Is the directory transmuting?
 371  */
 372 static inline int smk_inode_transmutable(const struct inode *isp)
 373 {
 374         struct inode_smack *sip = smack_inode(isp);
 375         return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
 376 }
 377 
 378 /*
 379  * Present a pointer to the smack label entry in an inode blob.
 380  */
 381 static inline struct smack_known *smk_of_inode(const struct inode *isp)
 382 {
 383         struct inode_smack *sip = smack_inode(isp);
 384         return sip->smk_inode;
 385 }
 386 
 387 /*
 388  * Present a pointer to the smack label entry in an task blob.
 389  */
 390 static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
 391 {
 392         return tsp->smk_task;
 393 }
 394 
 395 static inline struct smack_known *smk_of_task_struct(
 396                                                 const struct task_struct *t)
 397 {
 398         struct smack_known *skp;
 399         const struct cred *cred;
 400 
 401         rcu_read_lock();
 402 
 403         cred = __task_cred(t);
 404         skp = smk_of_task(smack_cred(cred));
 405 
 406         rcu_read_unlock();
 407 
 408         return skp;
 409 }
 410 
 411 /*
 412  * Present a pointer to the forked smack label entry in an task blob.
 413  */
 414 static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
 415 {
 416         return tsp->smk_forked;
 417 }
 418 
 419 /*
 420  * Present a pointer to the smack label in the current task blob.
 421  */
 422 static inline struct smack_known *smk_of_current(void)
 423 {
 424         return smk_of_task(smack_cred(current_cred()));
 425 }
 426 
 427 /*
 428  * logging functions
 429  */
 430 #define SMACK_AUDIT_DENIED 0x1
 431 #define SMACK_AUDIT_ACCEPT 0x2
 432 extern int log_policy;
 433 
 434 void smack_log(char *subject_label, char *object_label,
 435                 int request,
 436                 int result, struct smk_audit_info *auditdata);
 437 
 438 #ifdef CONFIG_AUDIT
 439 
 440 /*
 441  * some inline functions to set up audit data
 442  * they do nothing if CONFIG_AUDIT is not set
 443  *
 444  */
 445 static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
 446                                char type)
 447 {
 448         memset(&a->sad, 0, sizeof(a->sad));
 449         a->a.type = type;
 450         a->a.smack_audit_data = &a->sad;
 451         a->a.smack_audit_data->function = func;
 452 }
 453 
 454 static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
 455                                    char type, struct lsm_network_audit *net)
 456 {
 457         smk_ad_init(a, func, type);
 458         memset(net, 0, sizeof(*net));
 459         a->a.u.net = net;
 460 }
 461 
 462 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
 463                                          struct task_struct *t)
 464 {
 465         a->a.u.tsk = t;
 466 }
 467 static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
 468                                                     struct dentry *d)
 469 {
 470         a->a.u.dentry = d;
 471 }
 472 static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
 473                                               struct inode *i)
 474 {
 475         a->a.u.inode = i;
 476 }
 477 static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
 478                                              struct path p)
 479 {
 480         a->a.u.path = p;
 481 }
 482 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
 483                                             struct sock *sk)
 484 {
 485         a->a.u.net->sk = sk;
 486 }
 487 
 488 #else /* no AUDIT */
 489 
 490 static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
 491                                char type)
 492 {
 493 }
 494 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
 495                                          struct task_struct *t)
 496 {
 497 }
 498 static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
 499                                                     struct dentry *d)
 500 {
 501 }
 502 static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
 503                                                  struct vfsmount *m)
 504 {
 505 }
 506 static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
 507                                               struct inode *i)
 508 {
 509 }
 510 static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
 511                                              struct path p)
 512 {
 513 }
 514 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
 515                                             struct sock *sk)
 516 {
 517 }
 518 #endif
 519 
 520 #endif  /* _SECURITY_SMACK_H */
/* [<][>][^][v][top][bottom][index][help] */