tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / smack / smack_lsm.c
at master 135 kB view raw
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18#include <linux/xattr.h> 19#include <linux/pagemap.h> 20#include <linux/mount.h> 21#include <linux/stat.h> 22#include <linux/kd.h> 23#include <asm/ioctls.h> 24#include <linux/ip.h> 25#include <linux/tcp.h> 26#include <linux/udp.h> 27#include <linux/icmpv6.h> 28#include <linux/slab.h> 29#include <linux/mutex.h> 30#include <net/cipso_ipv4.h> 31#include <net/ip.h> 32#include <net/ipv6.h> 33#include <linux/audit.h> 34#include <linux/magic.h> 35#include <linux/dcache.h> 36#include <linux/personality.h> 37#include <linux/msg.h> 38#include <linux/shm.h> 39#include <uapi/linux/shm.h> 40#include <linux/binfmts.h> 41#include <linux/parser.h> 42#include <linux/fs_context.h> 43#include <linux/fs_parser.h> 44#include <linux/watch_queue.h> 45#include <linux/io_uring/cmd.h> 46#include <uapi/linux/lsm.h> 47#include "smack.h" 48 49#define TRANS_TRUE "TRUE" 50#define TRANS_TRUE_SIZE 4 51 52#define SMK_CONNECTING 0 53#define SMK_RECEIVING 1 54#define SMK_SENDING 2 55 56/* 57 * Smack uses multiple xattrs. 58 * SMACK64 - for access control, 59 * SMACK64TRANSMUTE - label initialization, 60 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 61 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 62 */ 63#define SMACK_INODE_INIT_XATTRS 2 64 65#ifdef SMACK_IPV6_PORT_LABELING 66static DEFINE_MUTEX(smack_ipv6_lock); 67static LIST_HEAD(smk_ipv6_port_list); 68#endif 69struct kmem_cache *smack_rule_cache; 70int smack_enabled __initdata; 71 72#define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 73static struct { 74 const char *name; 75 int len; 76 int opt; 77} smk_mount_opts[] = { 78 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 79 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 80}; 81#undef A 82 83static int match_opt_prefix(char *s, int l, char **arg) 84{ 85 int i; 86 87 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 88 size_t len = smk_mount_opts[i].len; 89 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 90 continue; 91 if (len == l || s[len] != '=') 92 continue; 93 *arg = s + len + 1; 94 return smk_mount_opts[i].opt; 95 } 96 return Opt_error; 97} 98 99#ifdef CONFIG_SECURITY_SMACK_BRINGUP 100static char *smk_bu_mess[] = { 101 "Bringup Error", /* Unused */ 102 "Bringup", /* SMACK_BRINGUP_ALLOW */ 103 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 104 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 105}; 106 107static void smk_bu_mode(int mode, char *s) 108{ 109 smack_str_from_perm(s, mode); 110} 111#endif 112 113#ifdef CONFIG_SECURITY_SMACK_BRINGUP 114static int smk_bu_note(char *note, struct smack_known *sskp, 115 struct smack_known *oskp, int mode, int rc) 116{ 117 char acc[SMK_NUM_ACCESS_TYPE + 1]; 118 119 if (rc <= 0) 120 return rc; 121 if (rc > SMACK_UNCONFINED_OBJECT) 122 rc = 0; 123 124 smk_bu_mode(mode, acc); 125 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 126 sskp->smk_known, oskp->smk_known, acc, note); 127 return 0; 128} 129#else 130#define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 131#endif 132 133#ifdef CONFIG_SECURITY_SMACK_BRINGUP 134static int smk_bu_current(char *note, struct smack_known *oskp, 135 int mode, int rc) 136{ 137 struct task_smack *tsp = smack_cred(current_cred()); 138 char acc[SMK_NUM_ACCESS_TYPE + 1]; 139 140 if (rc <= 0) 141 return rc; 142 if (rc > SMACK_UNCONFINED_OBJECT) 143 rc = 0; 144 145 smk_bu_mode(mode, acc); 146 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 147 tsp->smk_task->smk_known, oskp->smk_known, 148 acc, current->comm, note); 149 return 0; 150} 151#else 152#define smk_bu_current(note, oskp, mode, RC) (RC) 153#endif 154 155#ifdef CONFIG_SECURITY_SMACK_BRINGUP 156static int smk_bu_task(struct task_struct *otp, int mode, int rc) 157{ 158 struct task_smack *tsp = smack_cred(current_cred()); 159 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 160 char acc[SMK_NUM_ACCESS_TYPE + 1]; 161 162 if (rc <= 0) 163 return rc; 164 if (rc > SMACK_UNCONFINED_OBJECT) 165 rc = 0; 166 167 smk_bu_mode(mode, acc); 168 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 169 tsp->smk_task->smk_known, smk_task->smk_known, acc, 170 current->comm, otp->comm); 171 return 0; 172} 173#else 174#define smk_bu_task(otp, mode, RC) (RC) 175#endif 176 177#ifdef CONFIG_SECURITY_SMACK_BRINGUP 178static int smk_bu_inode(struct inode *inode, int mode, int rc) 179{ 180 struct task_smack *tsp = smack_cred(current_cred()); 181 struct inode_smack *isp = smack_inode(inode); 182 char acc[SMK_NUM_ACCESS_TYPE + 1]; 183 184 if (isp->smk_flags & SMK_INODE_IMPURE) 185 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 188 if (rc <= 0) 189 return rc; 190 if (rc > SMACK_UNCONFINED_OBJECT) 191 rc = 0; 192 if (rc == SMACK_UNCONFINED_SUBJECT && 193 (mode & (MAY_WRITE | MAY_APPEND))) 194 isp->smk_flags |= SMK_INODE_IMPURE; 195 196 smk_bu_mode(mode, acc); 197 198 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 199 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 200 inode->i_sb->s_id, inode->i_ino, current->comm); 201 return 0; 202} 203#else 204#define smk_bu_inode(inode, mode, RC) (RC) 205#endif 206 207#ifdef CONFIG_SECURITY_SMACK_BRINGUP 208static int smk_bu_file(struct file *file, int mode, int rc) 209{ 210 struct task_smack *tsp = smack_cred(current_cred()); 211 struct smack_known *sskp = tsp->smk_task; 212 struct inode *inode = file_inode(file); 213 struct inode_smack *isp = smack_inode(inode); 214 char acc[SMK_NUM_ACCESS_TYPE + 1]; 215 216 if (isp->smk_flags & SMK_INODE_IMPURE) 217 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 218 inode->i_sb->s_id, inode->i_ino, current->comm); 219 220 if (rc <= 0) 221 return rc; 222 if (rc > SMACK_UNCONFINED_OBJECT) 223 rc = 0; 224 225 smk_bu_mode(mode, acc); 226 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 227 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 228 inode->i_sb->s_id, inode->i_ino, file, 229 current->comm); 230 return 0; 231} 232#else 233#define smk_bu_file(file, mode, RC) (RC) 234#endif 235 236#ifdef CONFIG_SECURITY_SMACK_BRINGUP 237static int smk_bu_credfile(const struct cred *cred, struct file *file, 238 int mode, int rc) 239{ 240 struct task_smack *tsp = smack_cred(cred); 241 struct smack_known *sskp = tsp->smk_task; 242 struct inode *inode = file_inode(file); 243 struct inode_smack *isp = smack_inode(inode); 244 char acc[SMK_NUM_ACCESS_TYPE + 1]; 245 246 if (isp->smk_flags & SMK_INODE_IMPURE) 247 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 248 inode->i_sb->s_id, inode->i_ino, current->comm); 249 250 if (rc <= 0) 251 return rc; 252 if (rc > SMACK_UNCONFINED_OBJECT) 253 rc = 0; 254 255 smk_bu_mode(mode, acc); 256 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 257 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 258 inode->i_sb->s_id, inode->i_ino, file, 259 current->comm); 260 return 0; 261} 262#else 263#define smk_bu_credfile(cred, file, mode, RC) (RC) 264#endif 265 266/** 267 * smk_fetch - Fetch the smack label from a file. 268 * @name: type of the label (attribute) 269 * @ip: a pointer to the inode 270 * @dp: a pointer to the dentry 271 * 272 * Returns a pointer to the master list entry for the Smack label, 273 * NULL if there was no label to fetch, or an error code. 274 */ 275static struct smack_known *smk_fetch(const char *name, struct inode *ip, 276 struct dentry *dp) 277{ 278 int rc; 279 char *buffer; 280 struct smack_known *skp = NULL; 281 282 if (!(ip->i_opflags & IOP_XATTR)) 283 return ERR_PTR(-EOPNOTSUPP); 284 285 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 286 if (buffer == NULL) 287 return ERR_PTR(-ENOMEM); 288 289 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 290 if (rc < 0) 291 skp = ERR_PTR(rc); 292 else if (rc == 0) 293 skp = NULL; 294 else 295 skp = smk_import_entry(buffer, rc); 296 297 kfree(buffer); 298 299 return skp; 300} 301 302/** 303 * init_inode_smack - initialize an inode security blob 304 * @inode: inode to extract the info from 305 * @skp: a pointer to the Smack label entry to use in the blob 306 * 307 */ 308static void init_inode_smack(struct inode *inode, struct smack_known *skp) 309{ 310 struct inode_smack *isp = smack_inode(inode); 311 312 isp->smk_inode = skp; 313 isp->smk_flags = 0; 314} 315 316/** 317 * init_task_smack - initialize a task security blob 318 * @tsp: blob to initialize 319 * @task: a pointer to the Smack label for the running task 320 * @forked: a pointer to the Smack label for the forked task 321 * 322 */ 323static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 324 struct smack_known *forked) 325{ 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331} 332 333/** 334 * smk_copy_rules - copy a rule set 335 * @nhead: new rules header pointer 336 * @ohead: old rules header pointer 337 * @gfp: type of the memory for the allocation 338 * 339 * Returns 0 on success, -ENOMEM on error 340 */ 341static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 342 gfp_t gfp) 343{ 344 struct smack_rule *nrp; 345 struct smack_rule *orp; 346 int rc = 0; 347 348 list_for_each_entry_rcu(orp, ohead, list) { 349 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 350 if (nrp == NULL) { 351 rc = -ENOMEM; 352 break; 353 } 354 *nrp = *orp; 355 list_add_rcu(&nrp->list, nhead); 356 } 357 return rc; 358} 359 360/** 361 * smk_copy_relabel - copy smk_relabel labels list 362 * @nhead: new rules header pointer 363 * @ohead: old rules header pointer 364 * @gfp: type of the memory for the allocation 365 * 366 * Returns 0 on success, -ENOMEM on error 367 */ 368static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 369 gfp_t gfp) 370{ 371 struct smack_known_list_elem *nklep; 372 struct smack_known_list_elem *oklep; 373 374 list_for_each_entry(oklep, ohead, list) { 375 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 376 if (nklep == NULL) { 377 smk_destroy_label_list(nhead); 378 return -ENOMEM; 379 } 380 nklep->smk_label = oklep->smk_label; 381 list_add(&nklep->list, nhead); 382 } 383 384 return 0; 385} 386 387/** 388 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 389 * @mode: input mode in form of PTRACE_MODE_* 390 * 391 * Returns a converted MAY_* mode usable by smack rules 392 */ 393static inline unsigned int smk_ptrace_mode(unsigned int mode) 394{ 395 if (mode & PTRACE_MODE_ATTACH) 396 return MAY_READWRITE; 397 if (mode & PTRACE_MODE_READ) 398 return MAY_READ; 399 400 return 0; 401} 402 403/** 404 * smk_ptrace_rule_check - helper for ptrace access 405 * @tracer: tracer process 406 * @tracee_known: label entry of the process that's about to be traced 407 * @mode: ptrace attachment mode (PTRACE_MODE_*) 408 * @func: name of the function that called us, used for audit 409 * 410 * Returns 0 on access granted, -error on error 411 */ 412static int smk_ptrace_rule_check(struct task_struct *tracer, 413 struct smack_known *tracee_known, 414 unsigned int mode, const char *func) 415{ 416 int rc; 417 struct smk_audit_info ad, *saip = NULL; 418 struct task_smack *tsp; 419 struct smack_known *tracer_known; 420 const struct cred *tracercred; 421 422 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 423 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 424 smk_ad_setfield_u_tsk(&ad, tracer); 425 saip = &ad; 426 } 427 428 rcu_read_lock(); 429 tracercred = __task_cred(tracer); 430 tsp = smack_cred(tracercred); 431 tracer_known = smk_of_task(tsp); 432 433 if ((mode & PTRACE_MODE_ATTACH) && 434 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 435 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 436 if (tracer_known->smk_known == tracee_known->smk_known) 437 rc = 0; 438 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 439 rc = -EACCES; 440 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 441 rc = 0; 442 else 443 rc = -EACCES; 444 445 if (saip) 446 smack_log(tracer_known->smk_known, 447 tracee_known->smk_known, 448 0, rc, saip); 449 450 rcu_read_unlock(); 451 return rc; 452 } 453 454 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 455 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 456 457 rcu_read_unlock(); 458 return rc; 459} 460 461/* 462 * LSM hooks. 463 * We he, that is fun! 464 */ 465 466/** 467 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 468 * @ctp: child task pointer 469 * @mode: ptrace attachment mode (PTRACE_MODE_*) 470 * 471 * Returns 0 if access is OK, an error code otherwise 472 * 473 * Do the capability checks. 474 */ 475static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 476{ 477 struct smack_known *skp; 478 479 skp = smk_of_task_struct_obj(ctp); 480 481 return smk_ptrace_rule_check(current, skp, mode, __func__); 482} 483 484/** 485 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 486 * @ptp: parent task pointer 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks, and require PTRACE_MODE_ATTACH. 491 */ 492static int smack_ptrace_traceme(struct task_struct *ptp) 493{ 494 struct smack_known *skp; 495 496 skp = smk_of_task(smack_cred(current_cred())); 497 498 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 499} 500 501/** 502 * smack_syslog - Smack approval on syslog 503 * @typefrom_file: unused 504 * 505 * Returns 0 on success, error code otherwise. 506 */ 507static int smack_syslog(int typefrom_file) 508{ 509 int rc = 0; 510 struct smack_known *skp = smk_of_current(); 511 512 if (smack_privileged(CAP_MAC_OVERRIDE)) 513 return 0; 514 515 if (smack_syslog_label != NULL && smack_syslog_label != skp) 516 rc = -EACCES; 517 518 return rc; 519} 520 521/* 522 * Superblock Hooks. 523 */ 524 525/** 526 * smack_sb_alloc_security - allocate a superblock blob 527 * @sb: the superblock getting the blob 528 * 529 * Returns 0 on success or -ENOMEM on error. 530 */ 531static int smack_sb_alloc_security(struct super_block *sb) 532{ 533 struct superblock_smack *sbsp = smack_superblock(sb); 534 535 sbsp->smk_root = &smack_known_floor; 536 sbsp->smk_default = &smack_known_floor; 537 sbsp->smk_floor = &smack_known_floor; 538 sbsp->smk_hat = &smack_known_hat; 539 /* 540 * SMK_SB_INITIALIZED will be zero from kzalloc. 541 */ 542 543 return 0; 544} 545 546struct smack_mnt_opts { 547 const char *fsdefault; 548 const char *fsfloor; 549 const char *fshat; 550 const char *fsroot; 551 const char *fstransmute; 552}; 553 554static void smack_free_mnt_opts(void *mnt_opts) 555{ 556 kfree(mnt_opts); 557} 558 559static int smack_add_opt(int token, const char *s, void **mnt_opts) 560{ 561 struct smack_mnt_opts *opts = *mnt_opts; 562 struct smack_known *skp; 563 564 if (!opts) { 565 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 566 if (!opts) 567 return -ENOMEM; 568 *mnt_opts = opts; 569 } 570 if (!s) 571 return -ENOMEM; 572 573 skp = smk_import_entry(s, 0); 574 if (IS_ERR(skp)) 575 return PTR_ERR(skp); 576 577 switch (token) { 578 case Opt_fsdefault: 579 if (opts->fsdefault) 580 goto out_opt_err; 581 opts->fsdefault = skp->smk_known; 582 break; 583 case Opt_fsfloor: 584 if (opts->fsfloor) 585 goto out_opt_err; 586 opts->fsfloor = skp->smk_known; 587 break; 588 case Opt_fshat: 589 if (opts->fshat) 590 goto out_opt_err; 591 opts->fshat = skp->smk_known; 592 break; 593 case Opt_fsroot: 594 if (opts->fsroot) 595 goto out_opt_err; 596 opts->fsroot = skp->smk_known; 597 break; 598 case Opt_fstransmute: 599 if (opts->fstransmute) 600 goto out_opt_err; 601 opts->fstransmute = skp->smk_known; 602 break; 603 } 604 return 0; 605 606out_opt_err: 607 pr_warn("Smack: duplicate mount options\n"); 608 return -EINVAL; 609} 610 611/** 612 * smack_fs_context_submount - Initialise security data for a filesystem context 613 * @fc: The filesystem context. 614 * @reference: reference superblock 615 * 616 * Returns 0 on success or -ENOMEM on error. 617 */ 618static int smack_fs_context_submount(struct fs_context *fc, 619 struct super_block *reference) 620{ 621 struct superblock_smack *sbsp; 622 struct smack_mnt_opts *ctx; 623 struct inode_smack *isp; 624 625 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 626 if (!ctx) 627 return -ENOMEM; 628 fc->security = ctx; 629 630 sbsp = smack_superblock(reference); 631 isp = smack_inode(reference->s_root->d_inode); 632 633 if (sbsp->smk_default) { 634 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 635 if (!ctx->fsdefault) 636 return -ENOMEM; 637 } 638 639 if (sbsp->smk_floor) { 640 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 641 if (!ctx->fsfloor) 642 return -ENOMEM; 643 } 644 645 if (sbsp->smk_hat) { 646 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 647 if (!ctx->fshat) 648 return -ENOMEM; 649 } 650 651 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 652 if (sbsp->smk_root) { 653 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 654 if (!ctx->fstransmute) 655 return -ENOMEM; 656 } 657 } 658 return 0; 659} 660 661/** 662 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 663 * @fc: The new filesystem context. 664 * @src_fc: The source filesystem context being duplicated. 665 * 666 * Returns 0 on success or -ENOMEM on error. 667 */ 668static int smack_fs_context_dup(struct fs_context *fc, 669 struct fs_context *src_fc) 670{ 671 struct smack_mnt_opts *dst, *src = src_fc->security; 672 673 if (!src) 674 return 0; 675 676 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 677 if (!fc->security) 678 return -ENOMEM; 679 680 dst = fc->security; 681 dst->fsdefault = src->fsdefault; 682 dst->fsfloor = src->fsfloor; 683 dst->fshat = src->fshat; 684 dst->fsroot = src->fsroot; 685 dst->fstransmute = src->fstransmute; 686 687 return 0; 688} 689 690static const struct fs_parameter_spec smack_fs_parameters[] = { 691 fsparam_string("smackfsdef", Opt_fsdefault), 692 fsparam_string("smackfsdefault", Opt_fsdefault), 693 fsparam_string("smackfsfloor", Opt_fsfloor), 694 fsparam_string("smackfshat", Opt_fshat), 695 fsparam_string("smackfsroot", Opt_fsroot), 696 fsparam_string("smackfstransmute", Opt_fstransmute), 697 {} 698}; 699 700/** 701 * smack_fs_context_parse_param - Parse a single mount parameter 702 * @fc: The new filesystem context being constructed. 703 * @param: The parameter. 704 * 705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 706 * error. 707 */ 708static int smack_fs_context_parse_param(struct fs_context *fc, 709 struct fs_parameter *param) 710{ 711 struct fs_parse_result result; 712 int opt, rc; 713 714 opt = fs_parse(fc, smack_fs_parameters, param, &result); 715 if (opt < 0) 716 return opt; 717 718 rc = smack_add_opt(opt, param->string, &fc->security); 719 if (!rc) 720 param->string = NULL; 721 return rc; 722} 723 724static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 725{ 726 char *from = options, *to = options; 727 bool first = true; 728 729 while (1) { 730 char *next = strchr(from, ','); 731 int token, len, rc; 732 char *arg = NULL; 733 734 if (next) 735 len = next - from; 736 else 737 len = strlen(from); 738 739 token = match_opt_prefix(from, len, &arg); 740 if (token != Opt_error) { 741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 742 rc = smack_add_opt(token, arg, mnt_opts); 743 kfree(arg); 744 if (unlikely(rc)) { 745 if (*mnt_opts) 746 smack_free_mnt_opts(*mnt_opts); 747 *mnt_opts = NULL; 748 return rc; 749 } 750 } else { 751 if (!first) { // copy with preceding comma 752 from--; 753 len++; 754 } 755 if (to != from) 756 memmove(to, from, len); 757 to += len; 758 first = false; 759 } 760 if (!from[len]) 761 break; 762 from += len + 1; 763 } 764 *to = '\0'; 765 return 0; 766} 767 768/** 769 * smack_set_mnt_opts - set Smack specific mount options 770 * @sb: the file system superblock 771 * @mnt_opts: Smack mount options 772 * @kern_flags: mount option from kernel space or user space 773 * @set_kern_flags: where to store converted mount opts 774 * 775 * Returns 0 on success, an error code on failure 776 * 777 * Allow filesystems with binary mount data to explicitly set Smack mount 778 * labels. 779 */ 780static int smack_set_mnt_opts(struct super_block *sb, 781 void *mnt_opts, 782 unsigned long kern_flags, 783 unsigned long *set_kern_flags) 784{ 785 struct dentry *root = sb->s_root; 786 struct inode *inode = d_backing_inode(root); 787 struct superblock_smack *sp = smack_superblock(sb); 788 struct inode_smack *isp; 789 struct smack_known *skp; 790 struct smack_mnt_opts *opts = mnt_opts; 791 bool transmute = false; 792 793 if (sp->smk_flags & SMK_SB_INITIALIZED) 794 return 0; 795 796 if (!smack_privileged(CAP_MAC_ADMIN)) { 797 /* 798 * Unprivileged mounts don't get to specify Smack values. 799 */ 800 if (opts) 801 return -EPERM; 802 /* 803 * Unprivileged mounts get root and default from the caller. 804 */ 805 skp = smk_of_current(); 806 sp->smk_root = skp; 807 sp->smk_default = skp; 808 /* 809 * For a handful of fs types with no user-controlled 810 * backing store it's okay to trust security labels 811 * in the filesystem. The rest are untrusted. 812 */ 813 if (sb->s_user_ns != &init_user_ns && 814 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 815 sb->s_magic != RAMFS_MAGIC) { 816 transmute = true; 817 sp->smk_flags |= SMK_SB_UNTRUSTED; 818 } 819 } 820 821 sp->smk_flags |= SMK_SB_INITIALIZED; 822 823 if (opts) { 824 if (opts->fsdefault) { 825 skp = smk_import_entry(opts->fsdefault, 0); 826 if (IS_ERR(skp)) 827 return PTR_ERR(skp); 828 sp->smk_default = skp; 829 } 830 if (opts->fsfloor) { 831 skp = smk_import_entry(opts->fsfloor, 0); 832 if (IS_ERR(skp)) 833 return PTR_ERR(skp); 834 sp->smk_floor = skp; 835 } 836 if (opts->fshat) { 837 skp = smk_import_entry(opts->fshat, 0); 838 if (IS_ERR(skp)) 839 return PTR_ERR(skp); 840 sp->smk_hat = skp; 841 } 842 if (opts->fsroot) { 843 skp = smk_import_entry(opts->fsroot, 0); 844 if (IS_ERR(skp)) 845 return PTR_ERR(skp); 846 sp->smk_root = skp; 847 } 848 if (opts->fstransmute) { 849 skp = smk_import_entry(opts->fstransmute, 0); 850 if (IS_ERR(skp)) 851 return PTR_ERR(skp); 852 sp->smk_root = skp; 853 transmute = true; 854 } 855 } 856 857 /* 858 * Initialize the root inode. 859 */ 860 init_inode_smack(inode, sp->smk_root); 861 862 if (transmute) { 863 isp = smack_inode(inode); 864 isp->smk_flags |= SMK_INODE_TRANSMUTE; 865 } 866 867 return 0; 868} 869 870/** 871 * smack_sb_statfs - Smack check on statfs 872 * @dentry: identifies the file system in question 873 * 874 * Returns 0 if current can read the floor of the filesystem, 875 * and error code otherwise 876 */ 877static int smack_sb_statfs(struct dentry *dentry) 878{ 879 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 880 int rc; 881 struct smk_audit_info ad; 882 883 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 884 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 885 886 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 887 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 888 return rc; 889} 890 891/* 892 * BPRM hooks 893 */ 894 895/** 896 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 897 * @bprm: the exec information 898 * 899 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 900 */ 901static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 902{ 903 struct inode *inode = file_inode(bprm->file); 904 struct task_smack *bsp = smack_cred(bprm->cred); 905 struct inode_smack *isp; 906 struct superblock_smack *sbsp; 907 int rc; 908 909 isp = smack_inode(inode); 910 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 911 return 0; 912 913 sbsp = smack_superblock(inode->i_sb); 914 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 915 isp->smk_task != sbsp->smk_root) 916 return 0; 917 918 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 919 struct task_struct *tracer; 920 rc = 0; 921 922 rcu_read_lock(); 923 tracer = ptrace_parent(current); 924 if (likely(tracer != NULL)) 925 rc = smk_ptrace_rule_check(tracer, 926 isp->smk_task, 927 PTRACE_MODE_ATTACH, 928 __func__); 929 rcu_read_unlock(); 930 931 if (rc != 0) 932 return rc; 933 } 934 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 935 return -EPERM; 936 937 bsp->smk_task = isp->smk_task; 938 bprm->per_clear |= PER_CLEAR_ON_SETID; 939 940 /* Decide if this is a secure exec. */ 941 if (bsp->smk_task != bsp->smk_forked) 942 bprm->secureexec = 1; 943 944 return 0; 945} 946 947/* 948 * Inode hooks 949 */ 950 951/** 952 * smack_inode_alloc_security - allocate an inode blob 953 * @inode: the inode in need of a blob 954 * 955 * Returns 0 956 */ 957static int smack_inode_alloc_security(struct inode *inode) 958{ 959 struct smack_known *skp = smk_of_current(); 960 961 init_inode_smack(inode, skp); 962 return 0; 963} 964 965/** 966 * smk_rule_transmutes - does access rule for (subject,object) contain 't'? 967 * @subject: a pointer to the subject's Smack label entry 968 * @object: a pointer to the object's Smack label entry 969 */ 970static bool 971smk_rule_transmutes(struct smack_known *subject, 972 const struct smack_known *object) 973{ 974 int may; 975 976 rcu_read_lock(); 977 may = smk_access_entry(subject->smk_known, object->smk_known, 978 &subject->smk_rules); 979 rcu_read_unlock(); 980 return (may > 0) && (may & MAY_TRANSMUTE); 981} 982 983static int 984xattr_dupval(struct xattr *xattrs, int *xattr_count, 985 const char *name, const void *value, unsigned int vallen) 986{ 987 struct xattr * const xattr = lsm_get_xattr_slot(xattrs, xattr_count); 988 989 if (!xattr) 990 return 0; 991 992 xattr->value = kmemdup(value, vallen, GFP_NOFS); 993 if (!xattr->value) 994 return -ENOMEM; 995 996 xattr->value_len = vallen; 997 xattr->name = name; 998 return 0; 999} 1000 1001/** 1002 * smack_inode_init_security - copy out the smack from an inode 1003 * @inode: the newly created inode 1004 * @dir: containing directory object 1005 * @qstr: unused 1006 * @xattrs: where to put the attributes 1007 * @xattr_count: current number of LSM-provided xattrs (updated) 1008 * 1009 * Returns 0 if it all works out, -ENOMEM if there's no memory 1010 */ 1011static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1012 const struct qstr *qstr, 1013 struct xattr *xattrs, int *xattr_count) 1014{ 1015 struct task_smack *tsp = smack_cred(current_cred()); 1016 struct inode_smack * const issp = smack_inode(inode); 1017 struct smack_known *dsp = smk_of_inode(dir); 1018 int rc = 0; 1019 int transflag = 0; 1020 bool trans_cred; 1021 bool trans_rule; 1022 1023 /* 1024 * UNIX domain sockets use lower level socket data. Let 1025 * UDS inode have fixed * label to keep smack_inode_permission() calm 1026 * when called from unix_find_bsd() 1027 */ 1028 if (S_ISSOCK(inode->i_mode)) { 1029 /* forced label, no need to save to xattrs */ 1030 issp->smk_inode = &smack_known_star; 1031 goto instant_inode; 1032 } 1033 /* 1034 * If equal, transmuting already occurred in 1035 * smack_dentry_create_files_as(). No need to check again. 1036 */ 1037 trans_cred = (tsp->smk_task == tsp->smk_transmuted); 1038 if (!trans_cred) 1039 trans_rule = smk_rule_transmutes(smk_of_task(tsp), dsp); 1040 1041 /* 1042 * In addition to having smk_task equal to smk_transmuted, 1043 * if the access rule allows transmutation and the directory 1044 * requests transmutation then by all means transmute. 1045 * Mark the inode as changed. 1046 */ 1047 if (trans_cred || (trans_rule && smk_inode_transmutable(dir))) { 1048 /* 1049 * The caller of smack_dentry_create_files_as() 1050 * should have overridden the current cred, so the 1051 * inode label was already set correctly in 1052 * smack_inode_alloc_security(). 1053 */ 1054 if (!trans_cred) 1055 issp->smk_inode = dsp; 1056 1057 if (S_ISDIR(inode->i_mode)) { 1058 transflag = SMK_INODE_TRANSMUTE; 1059 1060 if (xattr_dupval(xattrs, xattr_count, 1061 XATTR_SMACK_TRANSMUTE, 1062 TRANS_TRUE, 1063 TRANS_TRUE_SIZE 1064 )) 1065 rc = -ENOMEM; 1066 } 1067 } 1068 1069 if (rc == 0) 1070 if (xattr_dupval(xattrs, xattr_count, 1071 XATTR_SMACK_SUFFIX, 1072 issp->smk_inode->smk_known, 1073 strlen(issp->smk_inode->smk_known) 1074 )) 1075 rc = -ENOMEM; 1076instant_inode: 1077 issp->smk_flags |= (SMK_INODE_INSTANT | transflag); 1078 return rc; 1079} 1080 1081/** 1082 * smack_inode_link - Smack check on link 1083 * @old_dentry: the existing object 1084 * @dir: unused 1085 * @new_dentry: the new object 1086 * 1087 * Returns 0 if access is permitted, an error code otherwise 1088 */ 1089static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1090 struct dentry *new_dentry) 1091{ 1092 struct smack_known *isp; 1093 struct smk_audit_info ad; 1094 int rc; 1095 1096 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1097 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1098 1099 isp = smk_of_inode(d_backing_inode(old_dentry)); 1100 rc = smk_curacc(isp, MAY_WRITE, &ad); 1101 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1102 1103 if (rc == 0 && d_is_positive(new_dentry)) { 1104 isp = smk_of_inode(d_backing_inode(new_dentry)); 1105 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1106 rc = smk_curacc(isp, MAY_WRITE, &ad); 1107 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1108 } 1109 1110 return rc; 1111} 1112 1113/** 1114 * smack_inode_unlink - Smack check on inode deletion 1115 * @dir: containing directory object 1116 * @dentry: file to unlink 1117 * 1118 * Returns 0 if current can write the containing directory 1119 * and the object, error code otherwise 1120 */ 1121static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1122{ 1123 struct inode *ip = d_backing_inode(dentry); 1124 struct smk_audit_info ad; 1125 int rc; 1126 1127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1128 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1129 1130 /* 1131 * You need write access to the thing you're unlinking 1132 */ 1133 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1134 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1135 if (rc == 0) { 1136 /* 1137 * You also need write access to the containing directory 1138 */ 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1140 smk_ad_setfield_u_fs_inode(&ad, dir); 1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1143 } 1144 return rc; 1145} 1146 1147/** 1148 * smack_inode_rmdir - Smack check on directory deletion 1149 * @dir: containing directory object 1150 * @dentry: directory to unlink 1151 * 1152 * Returns 0 if current can write the containing directory 1153 * and the directory, error code otherwise 1154 */ 1155static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1156{ 1157 struct smk_audit_info ad; 1158 int rc; 1159 1160 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1161 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1162 1163 /* 1164 * You need write access to the thing you're removing 1165 */ 1166 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1167 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1168 if (rc == 0) { 1169 /* 1170 * You also need write access to the containing directory 1171 */ 1172 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1173 smk_ad_setfield_u_fs_inode(&ad, dir); 1174 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1175 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1176 } 1177 1178 return rc; 1179} 1180 1181/** 1182 * smack_inode_rename - Smack check on rename 1183 * @old_inode: unused 1184 * @old_dentry: the old object 1185 * @new_inode: unused 1186 * @new_dentry: the new object 1187 * 1188 * Read and write access is required on both the old and 1189 * new directories. 1190 * 1191 * Returns 0 if access is permitted, an error code otherwise 1192 */ 1193static int smack_inode_rename(struct inode *old_inode, 1194 struct dentry *old_dentry, 1195 struct inode *new_inode, 1196 struct dentry *new_dentry) 1197{ 1198 int rc; 1199 struct smack_known *isp; 1200 struct smk_audit_info ad; 1201 1202 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1203 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1204 1205 isp = smk_of_inode(d_backing_inode(old_dentry)); 1206 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1207 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1208 1209 if (rc == 0 && d_is_positive(new_dentry)) { 1210 isp = smk_of_inode(d_backing_inode(new_dentry)); 1211 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1212 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1213 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1214 } 1215 return rc; 1216} 1217 1218/** 1219 * smack_inode_permission - Smack version of permission() 1220 * @inode: the inode in question 1221 * @mask: the access requested 1222 * 1223 * This is the important Smack hook. 1224 * 1225 * Returns 0 if access is permitted, an error code otherwise 1226 */ 1227static int smack_inode_permission(struct inode *inode, int mask) 1228{ 1229 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1230 struct smk_audit_info ad; 1231 int no_block = mask & MAY_NOT_BLOCK; 1232 int rc; 1233 1234 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1235 /* 1236 * No permission to check. Existence test. Yup, it's there. 1237 */ 1238 if (mask == 0) 1239 return 0; 1240 1241 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1242 if (smk_of_inode(inode) != sbsp->smk_root) 1243 return -EACCES; 1244 } 1245 1246 /* May be droppable after audit */ 1247 if (no_block) 1248 return -ECHILD; 1249 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1250 smk_ad_setfield_u_fs_inode(&ad, inode); 1251 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1252 rc = smk_bu_inode(inode, mask, rc); 1253 return rc; 1254} 1255 1256/** 1257 * smack_inode_setattr - Smack check for setting attributes 1258 * @idmap: idmap of the mount 1259 * @dentry: the object 1260 * @iattr: for the force flag 1261 * 1262 * Returns 0 if access is permitted, an error code otherwise 1263 */ 1264static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1265 struct iattr *iattr) 1266{ 1267 struct smk_audit_info ad; 1268 int rc; 1269 1270 /* 1271 * Need to allow for clearing the setuid bit. 1272 */ 1273 if (iattr->ia_valid & ATTR_FORCE) 1274 return 0; 1275 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1276 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1277 1278 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1279 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1280 return rc; 1281} 1282 1283/** 1284 * smack_inode_getattr - Smack check for getting attributes 1285 * @path: path to extract the info from 1286 * 1287 * Returns 0 if access is permitted, an error code otherwise 1288 */ 1289static int smack_inode_getattr(const struct path *path) 1290{ 1291 struct smk_audit_info ad; 1292 struct inode *inode = d_backing_inode(path->dentry); 1293 int rc; 1294 1295 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1296 smk_ad_setfield_u_fs_path(&ad, *path); 1297 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1298 rc = smk_bu_inode(inode, MAY_READ, rc); 1299 return rc; 1300} 1301 1302/** 1303 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1304 * @name: name of the xattr 1305 * 1306 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1307 * named @name; the LSM layer should avoid enforcing any traditional 1308 * capability based access controls on this xattr. Returns 0 to indicate that 1309 * Smack does not "own" the access control rights to xattrs named @name and is 1310 * deferring to the LSM layer for further access controls, including capability 1311 * based controls. 1312 */ 1313static int smack_inode_xattr_skipcap(const char *name) 1314{ 1315 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1316 return 0; 1317 1318 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1319 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1320 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1321 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1322 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1323 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1324 return 1; 1325 1326 return 0; 1327} 1328 1329/** 1330 * smack_inode_setxattr - Smack check for setting xattrs 1331 * @idmap: idmap of the mount 1332 * @dentry: the object 1333 * @name: name of the attribute 1334 * @value: value of the attribute 1335 * @size: size of the value 1336 * @flags: unused 1337 * 1338 * This protects the Smack attribute explicitly. 1339 * 1340 * Returns 0 if access is permitted, an error code otherwise 1341 */ 1342static int smack_inode_setxattr(struct mnt_idmap *idmap, 1343 struct dentry *dentry, const char *name, 1344 const void *value, size_t size, int flags) 1345{ 1346 struct smk_audit_info ad; 1347 struct smack_known *skp; 1348 int check_priv = 0; 1349 int check_import = 0; 1350 int check_star = 0; 1351 int rc = 0; 1352 umode_t const i_mode = d_backing_inode(dentry)->i_mode; 1353 1354 /* 1355 * Check label validity here so import won't fail in post_setxattr 1356 */ 1357 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1358 /* 1359 * UDS inode has fixed label 1360 */ 1361 if (S_ISSOCK(i_mode)) { 1362 rc = -EINVAL; 1363 } else { 1364 check_priv = 1; 1365 check_import = 1; 1366 } 1367 } else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1368 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1369 check_priv = 1; 1370 check_import = 1; 1371 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1372 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1373 check_priv = 1; 1374 check_import = 1; 1375 check_star = 1; 1376 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1377 check_priv = 1; 1378 if (!S_ISDIR(i_mode) || 1379 size != TRANS_TRUE_SIZE || 1380 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1381 rc = -EINVAL; 1382 } 1383 1384 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1385 rc = -EPERM; 1386 1387 if (rc == 0 && check_import) { 1388 skp = size ? smk_import_entry(value, size) : NULL; 1389 if (IS_ERR(skp)) 1390 rc = PTR_ERR(skp); 1391 else if (skp == NULL || (check_star && 1392 (skp == &smack_known_star || skp == &smack_known_web))) 1393 rc = -EINVAL; 1394 } 1395 1396 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1397 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1398 1399 if (rc == 0) { 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 } 1403 1404 return rc; 1405} 1406 1407/** 1408 * smack_inode_post_setxattr - Apply the Smack update approved above 1409 * @dentry: object 1410 * @name: attribute name 1411 * @value: attribute value 1412 * @size: attribute size 1413 * @flags: unused 1414 * 1415 * Set the pointer in the inode blob to the entry found 1416 * in the master label list. 1417 */ 1418static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1419 const void *value, size_t size, int flags) 1420{ 1421 struct smack_known *skp; 1422 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1423 1424 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1425 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1426 return; 1427 } 1428 1429 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1430 skp = smk_import_entry(value, size); 1431 if (!IS_ERR(skp)) 1432 isp->smk_inode = skp; 1433 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1434 skp = smk_import_entry(value, size); 1435 if (!IS_ERR(skp)) 1436 isp->smk_task = skp; 1437 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1438 skp = smk_import_entry(value, size); 1439 if (!IS_ERR(skp)) 1440 isp->smk_mmap = skp; 1441 } 1442 1443 return; 1444} 1445 1446/** 1447 * smack_inode_getxattr - Smack check on getxattr 1448 * @dentry: the object 1449 * @name: unused 1450 * 1451 * Returns 0 if access is permitted, an error code otherwise 1452 */ 1453static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1454{ 1455 struct smk_audit_info ad; 1456 int rc; 1457 1458 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1459 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1460 1461 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1462 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1463 return rc; 1464} 1465 1466/** 1467 * smack_inode_removexattr - Smack check on removexattr 1468 * @idmap: idmap of the mount 1469 * @dentry: the object 1470 * @name: name of the attribute 1471 * 1472 * Removing the Smack attribute requires CAP_MAC_ADMIN 1473 * 1474 * Returns 0 if access is permitted, an error code otherwise 1475 */ 1476static int smack_inode_removexattr(struct mnt_idmap *idmap, 1477 struct dentry *dentry, const char *name) 1478{ 1479 struct inode_smack *isp; 1480 struct smk_audit_info ad; 1481 int rc = 0; 1482 1483 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1484 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1485 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1486 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1487 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1488 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1489 if (!smack_privileged(CAP_MAC_ADMIN)) 1490 rc = -EPERM; 1491 } 1492 1493 if (rc != 0) 1494 return rc; 1495 1496 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1497 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1498 1499 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1500 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1501 if (rc != 0) 1502 return rc; 1503 1504 isp = smack_inode(d_backing_inode(dentry)); 1505 /* 1506 * Don't do anything special for these. 1507 * XATTR_NAME_SMACKIPIN 1508 * XATTR_NAME_SMACKIPOUT 1509 * XATTR_NAME_SMACK if S_ISSOCK (UDS inode has fixed label) 1510 */ 1511 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1512 if (!S_ISSOCK(d_backing_inode(dentry)->i_mode)) { 1513 struct super_block *sbp = dentry->d_sb; 1514 struct superblock_smack *sbsp = smack_superblock(sbp); 1515 1516 isp->smk_inode = sbsp->smk_default; 1517 } 1518 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1519 isp->smk_task = NULL; 1520 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1521 isp->smk_mmap = NULL; 1522 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1523 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1524 1525 return 0; 1526} 1527 1528/** 1529 * smack_inode_set_acl - Smack check for setting posix acls 1530 * @idmap: idmap of the mnt this request came from 1531 * @dentry: the object 1532 * @acl_name: name of the posix acl 1533 * @kacl: the posix acls 1534 * 1535 * Returns 0 if access is permitted, an error code otherwise 1536 */ 1537static int smack_inode_set_acl(struct mnt_idmap *idmap, 1538 struct dentry *dentry, const char *acl_name, 1539 struct posix_acl *kacl) 1540{ 1541 struct smk_audit_info ad; 1542 int rc; 1543 1544 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1545 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1546 1547 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1548 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1549 return rc; 1550} 1551 1552/** 1553 * smack_inode_get_acl - Smack check for getting posix acls 1554 * @idmap: idmap of the mnt this request came from 1555 * @dentry: the object 1556 * @acl_name: name of the posix acl 1557 * 1558 * Returns 0 if access is permitted, an error code otherwise 1559 */ 1560static int smack_inode_get_acl(struct mnt_idmap *idmap, 1561 struct dentry *dentry, const char *acl_name) 1562{ 1563 struct smk_audit_info ad; 1564 int rc; 1565 1566 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1567 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1568 1569 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1570 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1571 return rc; 1572} 1573 1574/** 1575 * smack_inode_remove_acl - Smack check for getting posix acls 1576 * @idmap: idmap of the mnt this request came from 1577 * @dentry: the object 1578 * @acl_name: name of the posix acl 1579 * 1580 * Returns 0 if access is permitted, an error code otherwise 1581 */ 1582static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1583 struct dentry *dentry, const char *acl_name) 1584{ 1585 struct smk_audit_info ad; 1586 int rc; 1587 1588 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1589 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1590 1591 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1592 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1593 return rc; 1594} 1595 1596/** 1597 * smack_inode_getsecurity - get smack xattrs 1598 * @idmap: idmap of the mount 1599 * @inode: the object 1600 * @name: attribute name 1601 * @buffer: where to put the result 1602 * @alloc: duplicate memory 1603 * 1604 * Returns the size of the attribute or an error code 1605 */ 1606static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1607 struct inode *inode, const char *name, 1608 void **buffer, bool alloc) 1609{ 1610 struct socket_smack *ssp; 1611 struct socket *sock; 1612 struct super_block *sbp; 1613 struct inode *ip = inode; 1614 struct smack_known *isp; 1615 struct inode_smack *ispp; 1616 size_t label_len; 1617 char *label = NULL; 1618 1619 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1620 isp = smk_of_inode(inode); 1621 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1622 ispp = smack_inode(inode); 1623 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1624 label = TRANS_TRUE; 1625 else 1626 label = ""; 1627 } else { 1628 /* 1629 * The rest of the Smack xattrs are only on sockets. 1630 */ 1631 sbp = ip->i_sb; 1632 if (sbp->s_magic != SOCKFS_MAGIC) 1633 return -EOPNOTSUPP; 1634 1635 sock = SOCKET_I(ip); 1636 if (sock == NULL || sock->sk == NULL) 1637 return -EOPNOTSUPP; 1638 1639 ssp = smack_sock(sock->sk); 1640 1641 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1642 isp = ssp->smk_in; 1643 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1644 isp = ssp->smk_out; 1645 else 1646 return -EOPNOTSUPP; 1647 } 1648 1649 if (!label) 1650 label = isp->smk_known; 1651 1652 label_len = strlen(label); 1653 1654 if (alloc) { 1655 *buffer = kstrdup(label, GFP_KERNEL); 1656 if (*buffer == NULL) 1657 return -ENOMEM; 1658 } 1659 1660 return label_len; 1661} 1662 1663 1664/** 1665 * smack_inode_listsecurity - list the Smack attributes 1666 * @inode: the object 1667 * @buffer: where they go 1668 * @buffer_size: size of buffer 1669 */ 1670static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1671 size_t buffer_size) 1672{ 1673 int len = sizeof(XATTR_NAME_SMACK); 1674 1675 if (buffer != NULL && len <= buffer_size) 1676 memcpy(buffer, XATTR_NAME_SMACK, len); 1677 1678 return len; 1679} 1680 1681/** 1682 * smack_inode_getlsmprop - Extract inode's security id 1683 * @inode: inode to extract the info from 1684 * @prop: where result will be saved 1685 */ 1686static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1687{ 1688 prop->smack.skp = smk_of_inode(inode); 1689} 1690 1691/* 1692 * File Hooks 1693 */ 1694 1695/* 1696 * There is no smack_file_permission hook 1697 * 1698 * Should access checks be done on each read or write? 1699 * UNICOS and SELinux say yes. 1700 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1701 * 1702 * I'll say no for now. Smack does not do the frequent 1703 * label changing that SELinux does. 1704 */ 1705 1706/** 1707 * smack_file_alloc_security - assign a file security blob 1708 * @file: the object 1709 * 1710 * The security blob for a file is a pointer to the master 1711 * label list, so no allocation is done. 1712 * 1713 * f_security is the owner security information. It 1714 * isn't used on file access checks, it's for send_sigio. 1715 * 1716 * Returns 0 1717 */ 1718static int smack_file_alloc_security(struct file *file) 1719{ 1720 struct smack_known **blob = smack_file(file); 1721 1722 *blob = smk_of_current(); 1723 return 0; 1724} 1725 1726/** 1727 * smack_file_ioctl - Smack check on ioctls 1728 * @file: the object 1729 * @cmd: what to do 1730 * @arg: unused 1731 * 1732 * Relies heavily on the correct use of the ioctl command conventions. 1733 * 1734 * Returns 0 if allowed, error code otherwise 1735 */ 1736static int smack_file_ioctl(struct file *file, unsigned int cmd, 1737 unsigned long arg) 1738{ 1739 int rc = 0; 1740 struct smk_audit_info ad; 1741 struct inode *inode = file_inode(file); 1742 1743 if (unlikely(IS_PRIVATE(inode))) 1744 return 0; 1745 1746 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1747 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1748 1749 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1750 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1751 rc = smk_bu_file(file, MAY_WRITE, rc); 1752 } 1753 1754 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1755 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1756 rc = smk_bu_file(file, MAY_READ, rc); 1757 } 1758 1759 return rc; 1760} 1761 1762/** 1763 * smack_file_lock - Smack check on file locking 1764 * @file: the object 1765 * @cmd: unused 1766 * 1767 * Returns 0 if current has lock access, error code otherwise 1768 */ 1769static int smack_file_lock(struct file *file, unsigned int cmd) 1770{ 1771 struct smk_audit_info ad; 1772 int rc; 1773 struct inode *inode = file_inode(file); 1774 1775 if (unlikely(IS_PRIVATE(inode))) 1776 return 0; 1777 1778 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1779 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1780 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1781 rc = smk_bu_file(file, MAY_LOCK, rc); 1782 return rc; 1783} 1784 1785/** 1786 * smack_file_fcntl - Smack check on fcntl 1787 * @file: the object 1788 * @cmd: what action to check 1789 * @arg: unused 1790 * 1791 * Generally these operations are harmless. 1792 * File locking operations present an obvious mechanism 1793 * for passing information, so they require write access. 1794 * 1795 * Returns 0 if current has access, error code otherwise 1796 */ 1797static int smack_file_fcntl(struct file *file, unsigned int cmd, 1798 unsigned long arg) 1799{ 1800 struct smk_audit_info ad; 1801 int rc = 0; 1802 struct inode *inode = file_inode(file); 1803 1804 if (unlikely(IS_PRIVATE(inode))) 1805 return 0; 1806 1807 switch (cmd) { 1808 case F_GETLK: 1809 break; 1810 case F_SETLK: 1811 case F_SETLKW: 1812 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1813 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1814 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1815 rc = smk_bu_file(file, MAY_LOCK, rc); 1816 break; 1817 case F_SETOWN: 1818 case F_SETSIG: 1819 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1820 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1821 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1822 rc = smk_bu_file(file, MAY_WRITE, rc); 1823 break; 1824 default: 1825 break; 1826 } 1827 1828 return rc; 1829} 1830 1831/** 1832 * smack_mmap_file - Check permissions for a mmap operation. 1833 * @file: contains the file structure for file to map (may be NULL). 1834 * @reqprot: contains the protection requested by the application. 1835 * @prot: contains the protection that will be applied by the kernel. 1836 * @flags: contains the operational flags. 1837 * 1838 * The @file may be NULL, e.g. if mapping anonymous memory. 1839 * 1840 * Return 0 if permission is granted. 1841 */ 1842static int smack_mmap_file(struct file *file, 1843 unsigned long reqprot, unsigned long prot, 1844 unsigned long flags) 1845{ 1846 struct smack_known *skp; 1847 struct smack_known *mkp; 1848 struct smack_rule *srp; 1849 struct task_smack *tsp; 1850 struct smack_known *okp; 1851 struct inode_smack *isp; 1852 struct superblock_smack *sbsp; 1853 int may; 1854 int mmay; 1855 int tmay; 1856 int rc; 1857 1858 if (file == NULL) 1859 return 0; 1860 1861 if (unlikely(IS_PRIVATE(file_inode(file)))) 1862 return 0; 1863 1864 isp = smack_inode(file_inode(file)); 1865 if (isp->smk_mmap == NULL) 1866 return 0; 1867 sbsp = smack_superblock(file_inode(file)->i_sb); 1868 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1869 isp->smk_mmap != sbsp->smk_root) 1870 return -EACCES; 1871 mkp = isp->smk_mmap; 1872 1873 tsp = smack_cred(current_cred()); 1874 skp = smk_of_current(); 1875 rc = 0; 1876 1877 rcu_read_lock(); 1878 /* 1879 * For each Smack rule associated with the subject 1880 * label verify that the SMACK64MMAP also has access 1881 * to that rule's object label. 1882 */ 1883 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1884 okp = srp->smk_object; 1885 /* 1886 * Matching labels always allows access. 1887 */ 1888 if (mkp->smk_known == okp->smk_known) 1889 continue; 1890 /* 1891 * If there is a matching local rule take 1892 * that into account as well. 1893 */ 1894 may = smk_access_entry(srp->smk_subject->smk_known, 1895 okp->smk_known, 1896 &tsp->smk_rules); 1897 if (may == -ENOENT) 1898 may = srp->smk_access; 1899 else 1900 may &= srp->smk_access; 1901 /* 1902 * If may is zero the SMACK64MMAP subject can't 1903 * possibly have less access. 1904 */ 1905 if (may == 0) 1906 continue; 1907 1908 /* 1909 * Fetch the global list entry. 1910 * If there isn't one a SMACK64MMAP subject 1911 * can't have as much access as current. 1912 */ 1913 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1914 &mkp->smk_rules); 1915 if (mmay == -ENOENT) { 1916 rc = -EACCES; 1917 break; 1918 } 1919 /* 1920 * If there is a local entry it modifies the 1921 * potential access, too. 1922 */ 1923 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1924 &tsp->smk_rules); 1925 if (tmay != -ENOENT) 1926 mmay &= tmay; 1927 1928 /* 1929 * If there is any access available to current that is 1930 * not available to a SMACK64MMAP subject 1931 * deny access. 1932 */ 1933 if ((may | mmay) != mmay) { 1934 rc = -EACCES; 1935 break; 1936 } 1937 } 1938 1939 rcu_read_unlock(); 1940 1941 return rc; 1942} 1943 1944/** 1945 * smack_file_set_fowner - set the file security blob value 1946 * @file: object in question 1947 * 1948 */ 1949static void smack_file_set_fowner(struct file *file) 1950{ 1951 struct smack_known **blob = smack_file(file); 1952 1953 *blob = smk_of_current(); 1954} 1955 1956/** 1957 * smack_file_send_sigiotask - Smack on sigio 1958 * @tsk: The target task 1959 * @fown: the object the signal come from 1960 * @signum: unused 1961 * 1962 * Allow a privileged task to get signals even if it shouldn't 1963 * 1964 * Returns 0 if a subject with the object's smack could 1965 * write to the task, an error code otherwise. 1966 */ 1967static int smack_file_send_sigiotask(struct task_struct *tsk, 1968 struct fown_struct *fown, int signum) 1969{ 1970 struct smack_known **blob; 1971 struct smack_known *skp; 1972 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1973 const struct cred *tcred; 1974 struct file *file; 1975 int rc; 1976 struct smk_audit_info ad; 1977 1978 /* 1979 * struct fown_struct is never outside the context of a struct file 1980 */ 1981 file = fown->file; 1982 1983 /* we don't log here as rc can be overridden */ 1984 blob = smack_file(file); 1985 skp = *blob; 1986 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1987 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1988 1989 rcu_read_lock(); 1990 tcred = __task_cred(tsk); 1991 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1992 rc = 0; 1993 rcu_read_unlock(); 1994 1995 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1996 smk_ad_setfield_u_tsk(&ad, tsk); 1997 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1998 return rc; 1999} 2000 2001/** 2002 * smack_file_receive - Smack file receive check 2003 * @file: the object 2004 * 2005 * Returns 0 if current has access, error code otherwise 2006 */ 2007static int smack_file_receive(struct file *file) 2008{ 2009 int rc; 2010 int may = 0; 2011 struct smk_audit_info ad; 2012 struct inode *inode = file_inode(file); 2013 struct socket *sock; 2014 struct task_smack *tsp; 2015 struct socket_smack *ssp; 2016 2017 if (unlikely(IS_PRIVATE(inode))) 2018 return 0; 2019 2020 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2021 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2022 2023 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 2024 sock = SOCKET_I(inode); 2025 ssp = smack_sock(sock->sk); 2026 tsp = smack_cred(current_cred()); 2027 /* 2028 * If the receiving process can't write to the 2029 * passed socket or if the passed socket can't 2030 * write to the receiving process don't accept 2031 * the passed socket. 2032 */ 2033 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 2034 rc = smk_bu_file(file, may, rc); 2035 if (rc < 0) 2036 return rc; 2037 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 2038 rc = smk_bu_file(file, may, rc); 2039 return rc; 2040 } 2041 /* 2042 * This code relies on bitmasks. 2043 */ 2044 if (file->f_mode & FMODE_READ) 2045 may = MAY_READ; 2046 if (file->f_mode & FMODE_WRITE) 2047 may |= MAY_WRITE; 2048 2049 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2050 rc = smk_bu_file(file, may, rc); 2051 return rc; 2052} 2053 2054/** 2055 * smack_file_open - Smack dentry open processing 2056 * @file: the object 2057 * 2058 * Set the security blob in the file structure. 2059 * Allow the open only if the task has read access. There are 2060 * many read operations (e.g. fstat) that you can do with an 2061 * fd even if you have the file open write-only. 2062 * 2063 * Returns 0 if current has access, error code otherwise 2064 */ 2065static int smack_file_open(struct file *file) 2066{ 2067 struct task_smack *tsp = smack_cred(file->f_cred); 2068 struct inode *inode = file_inode(file); 2069 struct smk_audit_info ad; 2070 int rc; 2071 2072 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2073 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2074 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2075 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2076 2077 return rc; 2078} 2079 2080/* 2081 * Task hooks 2082 */ 2083 2084/** 2085 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2086 * @cred: the new credentials 2087 * @gfp: the atomicity of any memory allocations 2088 * 2089 * Prepare a blank set of credentials for modification. This must allocate all 2090 * the memory the LSM module might require such that cred_transfer() can 2091 * complete without error. 2092 */ 2093static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2094{ 2095 init_task_smack(smack_cred(cred), NULL, NULL); 2096 return 0; 2097} 2098 2099 2100/** 2101 * smack_cred_free - "free" task-level security credentials 2102 * @cred: the credentials in question 2103 * 2104 */ 2105static void smack_cred_free(struct cred *cred) 2106{ 2107 struct task_smack *tsp = smack_cred(cred); 2108 struct smack_rule *rp; 2109 struct list_head *l; 2110 struct list_head *n; 2111 2112 smk_destroy_label_list(&tsp->smk_relabel); 2113 2114 list_for_each_safe(l, n, &tsp->smk_rules) { 2115 rp = list_entry(l, struct smack_rule, list); 2116 list_del(&rp->list); 2117 kmem_cache_free(smack_rule_cache, rp); 2118 } 2119} 2120 2121/** 2122 * smack_cred_prepare - prepare new set of credentials for modification 2123 * @new: the new credentials 2124 * @old: the original credentials 2125 * @gfp: the atomicity of any memory allocations 2126 * 2127 * Prepare a new set of credentials for modification. 2128 */ 2129static int smack_cred_prepare(struct cred *new, const struct cred *old, 2130 gfp_t gfp) 2131{ 2132 struct task_smack *old_tsp = smack_cred(old); 2133 struct task_smack *new_tsp = smack_cred(new); 2134 int rc; 2135 2136 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2137 2138 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2139 if (rc != 0) 2140 return rc; 2141 2142 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2143 gfp); 2144 return rc; 2145} 2146 2147/** 2148 * smack_cred_transfer - Transfer the old credentials to the new credentials 2149 * @new: the new credentials 2150 * @old: the original credentials 2151 * 2152 * Fill in a set of blank credentials from another set of credentials. 2153 */ 2154static void smack_cred_transfer(struct cred *new, const struct cred *old) 2155{ 2156 struct task_smack *old_tsp = smack_cred(old); 2157 struct task_smack *new_tsp = smack_cred(new); 2158 2159 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2160} 2161 2162/** 2163 * smack_cred_getsecid - get the secid corresponding to a creds structure 2164 * @cred: the object creds 2165 * @secid: where to put the result 2166 * 2167 * Sets the secid to contain a u32 version of the smack label. 2168 */ 2169static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2170{ 2171 struct smack_known *skp; 2172 2173 rcu_read_lock(); 2174 skp = smk_of_task(smack_cred(cred)); 2175 *secid = skp->smk_secid; 2176 rcu_read_unlock(); 2177} 2178 2179/** 2180 * smack_cred_getlsmprop - get the Smack label for a creds structure 2181 * @cred: the object creds 2182 * @prop: where to put the data 2183 * 2184 * Sets the Smack part of the ref 2185 */ 2186static void smack_cred_getlsmprop(const struct cred *cred, 2187 struct lsm_prop *prop) 2188{ 2189 rcu_read_lock(); 2190 prop->smack.skp = smk_of_task(smack_cred(cred)); 2191 rcu_read_unlock(); 2192} 2193 2194/** 2195 * smack_kernel_act_as - Set the subjective context in a set of credentials 2196 * @new: points to the set of credentials to be modified. 2197 * @secid: specifies the security ID to be set 2198 * 2199 * Set the security data for a kernel service. 2200 */ 2201static int smack_kernel_act_as(struct cred *new, u32 secid) 2202{ 2203 struct task_smack *new_tsp = smack_cred(new); 2204 2205 new_tsp->smk_task = smack_from_secid(secid); 2206 return 0; 2207} 2208 2209/** 2210 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2211 * @new: points to the set of credentials to be modified 2212 * @inode: points to the inode to use as a reference 2213 * 2214 * Set the file creation context in a set of credentials to the same 2215 * as the objective context of the specified inode 2216 */ 2217static int smack_kernel_create_files_as(struct cred *new, 2218 struct inode *inode) 2219{ 2220 struct inode_smack *isp = smack_inode(inode); 2221 struct task_smack *tsp = smack_cred(new); 2222 2223 tsp->smk_forked = isp->smk_inode; 2224 tsp->smk_task = tsp->smk_forked; 2225 return 0; 2226} 2227 2228/** 2229 * smk_curacc_on_task - helper to log task related access 2230 * @p: the task object 2231 * @access: the access requested 2232 * @caller: name of the calling function for audit 2233 * 2234 * Return 0 if access is permitted 2235 */ 2236static int smk_curacc_on_task(struct task_struct *p, int access, 2237 const char *caller) 2238{ 2239 struct smk_audit_info ad; 2240 struct smack_known *skp = smk_of_task_struct_obj(p); 2241 int rc; 2242 2243 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2244 smk_ad_setfield_u_tsk(&ad, p); 2245 rc = smk_curacc(skp, access, &ad); 2246 rc = smk_bu_task(p, access, rc); 2247 return rc; 2248} 2249 2250/** 2251 * smack_task_setpgid - Smack check on setting pgid 2252 * @p: the task object 2253 * @pgid: unused 2254 * 2255 * Return 0 if write access is permitted 2256 */ 2257static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2258{ 2259 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2260} 2261 2262/** 2263 * smack_task_getpgid - Smack access check for getpgid 2264 * @p: the object task 2265 * 2266 * Returns 0 if current can read the object task, error code otherwise 2267 */ 2268static int smack_task_getpgid(struct task_struct *p) 2269{ 2270 return smk_curacc_on_task(p, MAY_READ, __func__); 2271} 2272 2273/** 2274 * smack_task_getsid - Smack access check for getsid 2275 * @p: the object task 2276 * 2277 * Returns 0 if current can read the object task, error code otherwise 2278 */ 2279static int smack_task_getsid(struct task_struct *p) 2280{ 2281 return smk_curacc_on_task(p, MAY_READ, __func__); 2282} 2283 2284/** 2285 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2286 * @prop: where to put the result 2287 * 2288 * Sets the secid to contain a u32 version of the task's subjective smack label. 2289 */ 2290static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2291{ 2292 prop->smack.skp = smk_of_current(); 2293} 2294 2295/** 2296 * smack_task_getlsmprop_obj - get the objective data of the task 2297 * @p: the task 2298 * @prop: where to put the result 2299 * 2300 * Sets the secid to contain a u32 version of the task's objective smack label. 2301 */ 2302static void smack_task_getlsmprop_obj(struct task_struct *p, 2303 struct lsm_prop *prop) 2304{ 2305 prop->smack.skp = smk_of_task_struct_obj(p); 2306} 2307 2308/** 2309 * smack_task_setnice - Smack check on setting nice 2310 * @p: the task object 2311 * @nice: unused 2312 * 2313 * Return 0 if write access is permitted 2314 */ 2315static int smack_task_setnice(struct task_struct *p, int nice) 2316{ 2317 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2318} 2319 2320/** 2321 * smack_task_setioprio - Smack check on setting ioprio 2322 * @p: the task object 2323 * @ioprio: unused 2324 * 2325 * Return 0 if write access is permitted 2326 */ 2327static int smack_task_setioprio(struct task_struct *p, int ioprio) 2328{ 2329 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2330} 2331 2332/** 2333 * smack_task_getioprio - Smack check on reading ioprio 2334 * @p: the task object 2335 * 2336 * Return 0 if read access is permitted 2337 */ 2338static int smack_task_getioprio(struct task_struct *p) 2339{ 2340 return smk_curacc_on_task(p, MAY_READ, __func__); 2341} 2342 2343/** 2344 * smack_task_setscheduler - Smack check on setting scheduler 2345 * @p: the task object 2346 * 2347 * Return 0 if read access is permitted 2348 */ 2349static int smack_task_setscheduler(struct task_struct *p) 2350{ 2351 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2352} 2353 2354/** 2355 * smack_task_getscheduler - Smack check on reading scheduler 2356 * @p: the task object 2357 * 2358 * Return 0 if read access is permitted 2359 */ 2360static int smack_task_getscheduler(struct task_struct *p) 2361{ 2362 return smk_curacc_on_task(p, MAY_READ, __func__); 2363} 2364 2365/** 2366 * smack_task_movememory - Smack check on moving memory 2367 * @p: the task object 2368 * 2369 * Return 0 if write access is permitted 2370 */ 2371static int smack_task_movememory(struct task_struct *p) 2372{ 2373 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2374} 2375 2376/** 2377 * smack_task_kill - Smack check on signal delivery 2378 * @p: the task object 2379 * @info: unused 2380 * @sig: unused 2381 * @cred: identifies the cred to use in lieu of current's 2382 * 2383 * Return 0 if write access is permitted 2384 * 2385 */ 2386static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2387 int sig, const struct cred *cred) 2388{ 2389 struct smk_audit_info ad; 2390 struct smack_known *skp; 2391 struct smack_known *tkp = smk_of_task_struct_obj(p); 2392 int rc; 2393 2394 if (!sig) 2395 return 0; /* null signal; existence test */ 2396 2397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2398 smk_ad_setfield_u_tsk(&ad, p); 2399 /* 2400 * Sending a signal requires that the sender 2401 * can write the receiver. 2402 */ 2403 if (cred == NULL) { 2404 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2405 rc = smk_bu_task(p, MAY_DELIVER, rc); 2406 return rc; 2407 } 2408 /* 2409 * If the cred isn't NULL we're dealing with some USB IO 2410 * specific behavior. This is not clean. For one thing 2411 * we can't take privilege into account. 2412 */ 2413 skp = smk_of_task(smack_cred(cred)); 2414 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2415 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2416 return rc; 2417} 2418 2419/** 2420 * smack_task_to_inode - copy task smack into the inode blob 2421 * @p: task to copy from 2422 * @inode: inode to copy to 2423 * 2424 * Sets the smack pointer in the inode security blob 2425 */ 2426static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2427{ 2428 struct inode_smack *isp = smack_inode(inode); 2429 struct smack_known *skp = smk_of_task_struct_obj(p); 2430 2431 isp->smk_inode = skp; 2432 isp->smk_flags |= SMK_INODE_INSTANT; 2433} 2434 2435/* 2436 * Socket hooks. 2437 */ 2438 2439/** 2440 * smack_sk_alloc_security - Allocate a socket blob 2441 * @sk: the socket 2442 * @family: unused 2443 * @gfp_flags: memory allocation flags 2444 * 2445 * Assign Smack pointers to current 2446 * 2447 * Returns 0 on success, -ENOMEM is there's no memory 2448 */ 2449static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2450{ 2451 struct smack_known *skp = smk_of_current(); 2452 struct socket_smack *ssp = smack_sock(sk); 2453 2454 /* 2455 * Sockets created by kernel threads receive web label. 2456 */ 2457 if (unlikely(current->flags & PF_KTHREAD)) { 2458 ssp->smk_in = &smack_known_web; 2459 ssp->smk_out = &smack_known_web; 2460 } else { 2461 ssp->smk_in = skp; 2462 ssp->smk_out = skp; 2463 } 2464 ssp->smk_packet = NULL; 2465 2466 return 0; 2467} 2468 2469#ifdef SMACK_IPV6_PORT_LABELING 2470/** 2471 * smack_sk_free_security - Free a socket blob 2472 * @sk: the socket 2473 * 2474 * Clears the blob pointer 2475 */ 2476static void smack_sk_free_security(struct sock *sk) 2477{ 2478 struct smk_port_label *spp; 2479 2480 if (sk->sk_family == PF_INET6) { 2481 rcu_read_lock(); 2482 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2483 if (spp->smk_sock != sk) 2484 continue; 2485 spp->smk_can_reuse = 1; 2486 break; 2487 } 2488 rcu_read_unlock(); 2489 } 2490} 2491#endif 2492 2493/** 2494 * smack_sk_clone_security - Copy security context 2495 * @sk: the old socket 2496 * @newsk: the new socket 2497 * 2498 * Copy the security context of the old socket pointer to the cloned 2499 */ 2500static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2501{ 2502 struct socket_smack *ssp_old = smack_sock(sk); 2503 struct socket_smack *ssp_new = smack_sock(newsk); 2504 2505 *ssp_new = *ssp_old; 2506} 2507 2508/** 2509* smack_ipv4host_label - check host based restrictions 2510* @sip: the object end 2511* 2512* looks for host based access restrictions 2513* 2514* This version will only be appropriate for really small sets of single label 2515* hosts. The caller is responsible for ensuring that the RCU read lock is 2516* taken before calling this function. 2517* 2518* Returns the label of the far end or NULL if it's not special. 2519*/ 2520static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2521{ 2522 struct smk_net4addr *snp; 2523 struct in_addr *siap = &sip->sin_addr; 2524 2525 if (siap->s_addr == 0) 2526 return NULL; 2527 2528 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2529 /* 2530 * we break after finding the first match because 2531 * the list is sorted from longest to shortest mask 2532 * so we have found the most specific match 2533 */ 2534 if (snp->smk_host.s_addr == 2535 (siap->s_addr & snp->smk_mask.s_addr)) 2536 return snp->smk_label; 2537 2538 return NULL; 2539} 2540 2541#if IS_ENABLED(CONFIG_IPV6) 2542/* 2543 * smk_ipv6_localhost - Check for local ipv6 host address 2544 * @sip: the address 2545 * 2546 * Returns boolean true if this is the localhost address 2547 */ 2548static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2549{ 2550 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2551 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2552 2553 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2554 ntohs(be16p[7]) == 1) 2555 return true; 2556 return false; 2557} 2558 2559/** 2560* smack_ipv6host_label - check host based restrictions 2561* @sip: the object end 2562* 2563* looks for host based access restrictions 2564* 2565* This version will only be appropriate for really small sets of single label 2566* hosts. The caller is responsible for ensuring that the RCU read lock is 2567* taken before calling this function. 2568* 2569* Returns the label of the far end or NULL if it's not special. 2570*/ 2571static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2572{ 2573 struct smk_net6addr *snp; 2574 struct in6_addr *sap = &sip->sin6_addr; 2575 int i; 2576 int found = 0; 2577 2578 /* 2579 * It's local. Don't look for a host label. 2580 */ 2581 if (smk_ipv6_localhost(sip)) 2582 return NULL; 2583 2584 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2585 /* 2586 * If the label is NULL the entry has 2587 * been renounced. Ignore it. 2588 */ 2589 if (snp->smk_label == NULL) 2590 continue; 2591 /* 2592 * we break after finding the first match because 2593 * the list is sorted from longest to shortest mask 2594 * so we have found the most specific match 2595 */ 2596 for (found = 1, i = 0; i < 8; i++) { 2597 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2598 snp->smk_host.s6_addr16[i]) { 2599 found = 0; 2600 break; 2601 } 2602 } 2603 if (found) 2604 return snp->smk_label; 2605 } 2606 2607 return NULL; 2608} 2609#endif /* CONFIG_IPV6 */ 2610 2611/** 2612 * smack_netlbl_add - Set the secattr on a socket 2613 * @sk: the socket 2614 * 2615 * Attach the outbound smack value (smk_out) to the socket. 2616 * 2617 * Returns 0 on success or an error code 2618 */ 2619static int smack_netlbl_add(struct sock *sk) 2620{ 2621 struct socket_smack *ssp = smack_sock(sk); 2622 struct smack_known *skp = ssp->smk_out; 2623 int rc; 2624 2625 local_bh_disable(); 2626 bh_lock_sock_nested(sk); 2627 2628 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2629 netlbl_sk_lock_check(sk)); 2630 switch (rc) { 2631 case 0: 2632 ssp->smk_state = SMK_NETLBL_LABELED; 2633 break; 2634 case -EDESTADDRREQ: 2635 ssp->smk_state = SMK_NETLBL_REQSKB; 2636 rc = 0; 2637 break; 2638 } 2639 2640 bh_unlock_sock(sk); 2641 local_bh_enable(); 2642 2643 return rc; 2644} 2645 2646/** 2647 * smack_netlbl_delete - Remove the secattr from a socket 2648 * @sk: the socket 2649 * 2650 * Remove the outbound smack value from a socket 2651 */ 2652static void smack_netlbl_delete(struct sock *sk) 2653{ 2654 struct socket_smack *ssp = smack_sock(sk); 2655 2656 /* 2657 * Take the label off the socket if one is set. 2658 */ 2659 if (ssp->smk_state != SMK_NETLBL_LABELED) 2660 return; 2661 2662 local_bh_disable(); 2663 bh_lock_sock_nested(sk); 2664 netlbl_sock_delattr(sk); 2665 bh_unlock_sock(sk); 2666 local_bh_enable(); 2667 ssp->smk_state = SMK_NETLBL_UNLABELED; 2668} 2669 2670/** 2671 * smk_ipv4_check - Perform IPv4 host access checks 2672 * @sk: the socket 2673 * @sap: the destination address 2674 * 2675 * Set the correct secattr for the given socket based on the destination 2676 * address and perform any outbound access checks needed. 2677 * 2678 * Returns 0 on success or an error code. 2679 * 2680 */ 2681static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2682{ 2683 struct smack_known *skp; 2684 int rc = 0; 2685 struct smack_known *hkp; 2686 struct socket_smack *ssp = smack_sock(sk); 2687 struct smk_audit_info ad; 2688 2689 rcu_read_lock(); 2690 hkp = smack_ipv4host_label(sap); 2691 if (hkp != NULL) { 2692#ifdef CONFIG_AUDIT 2693 struct lsm_network_audit net; 2694 2695 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2696 ad.a.u.net->family = sap->sin_family; 2697 ad.a.u.net->dport = sap->sin_port; 2698 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2699#endif 2700 skp = ssp->smk_out; 2701 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2702 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2703 /* 2704 * Clear the socket netlabel if it's set. 2705 */ 2706 if (!rc) 2707 smack_netlbl_delete(sk); 2708 } 2709 rcu_read_unlock(); 2710 2711 return rc; 2712} 2713 2714#if IS_ENABLED(CONFIG_IPV6) 2715/** 2716 * smk_ipv6_check - check Smack access 2717 * @subject: subject Smack label 2718 * @object: object Smack label 2719 * @address: address 2720 * @act: the action being taken 2721 * 2722 * Check an IPv6 access 2723 */ 2724static int smk_ipv6_check(struct smack_known *subject, 2725 struct smack_known *object, 2726 struct sockaddr_in6 *address, int act) 2727{ 2728#ifdef CONFIG_AUDIT 2729 struct lsm_network_audit net; 2730#endif 2731 struct smk_audit_info ad; 2732 int rc; 2733 2734#ifdef CONFIG_AUDIT 2735 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2736 ad.a.u.net->family = PF_INET6; 2737 ad.a.u.net->dport = address->sin6_port; 2738 if (act == SMK_RECEIVING) 2739 ad.a.u.net->v6info.saddr = address->sin6_addr; 2740 else 2741 ad.a.u.net->v6info.daddr = address->sin6_addr; 2742#endif 2743 rc = smk_access(subject, object, MAY_WRITE, &ad); 2744 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2745 return rc; 2746} 2747#endif /* CONFIG_IPV6 */ 2748 2749#ifdef SMACK_IPV6_PORT_LABELING 2750/** 2751 * smk_ipv6_port_label - Smack port access table management 2752 * @sock: socket 2753 * @address: address 2754 * 2755 * Create or update the port list entry 2756 */ 2757static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2758{ 2759 struct sock *sk = sock->sk; 2760 struct sockaddr_in6 *addr6; 2761 struct socket_smack *ssp = smack_sock(sock->sk); 2762 struct smk_port_label *spp; 2763 unsigned short port = 0; 2764 2765 if (address == NULL) { 2766 /* 2767 * This operation is changing the Smack information 2768 * on the bound socket. Take the changes to the port 2769 * as well. 2770 */ 2771 rcu_read_lock(); 2772 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2773 if (sk != spp->smk_sock) 2774 continue; 2775 spp->smk_in = ssp->smk_in; 2776 spp->smk_out = ssp->smk_out; 2777 rcu_read_unlock(); 2778 return; 2779 } 2780 /* 2781 * A NULL address is only used for updating existing 2782 * bound entries. If there isn't one, it's OK. 2783 */ 2784 rcu_read_unlock(); 2785 return; 2786 } 2787 2788 addr6 = (struct sockaddr_in6 *)address; 2789 port = ntohs(addr6->sin6_port); 2790 /* 2791 * This is a special case that is safely ignored. 2792 */ 2793 if (port == 0) 2794 return; 2795 2796 /* 2797 * Look for an existing port list entry. 2798 * This is an indication that a port is getting reused. 2799 */ 2800 rcu_read_lock(); 2801 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2802 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2803 continue; 2804 if (spp->smk_can_reuse != 1) { 2805 rcu_read_unlock(); 2806 return; 2807 } 2808 spp->smk_port = port; 2809 spp->smk_sock = sk; 2810 spp->smk_in = ssp->smk_in; 2811 spp->smk_out = ssp->smk_out; 2812 spp->smk_can_reuse = 0; 2813 rcu_read_unlock(); 2814 return; 2815 } 2816 rcu_read_unlock(); 2817 /* 2818 * A new port entry is required. 2819 */ 2820 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2821 if (spp == NULL) 2822 return; 2823 2824 spp->smk_port = port; 2825 spp->smk_sock = sk; 2826 spp->smk_in = ssp->smk_in; 2827 spp->smk_out = ssp->smk_out; 2828 spp->smk_sock_type = sock->type; 2829 spp->smk_can_reuse = 0; 2830 2831 mutex_lock(&smack_ipv6_lock); 2832 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2833 mutex_unlock(&smack_ipv6_lock); 2834 return; 2835} 2836 2837/** 2838 * smk_ipv6_port_check - check Smack port access 2839 * @sk: socket 2840 * @address: address 2841 * @act: the action being taken 2842 * 2843 * Create or update the port list entry 2844 */ 2845static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2846 int act) 2847{ 2848 struct smk_port_label *spp; 2849 struct socket_smack *ssp = smack_sock(sk); 2850 struct smack_known *skp = NULL; 2851 unsigned short port; 2852 struct smack_known *object; 2853 2854 if (act == SMK_RECEIVING) { 2855 skp = smack_ipv6host_label(address); 2856 object = ssp->smk_in; 2857 } else { 2858 skp = ssp->smk_out; 2859 object = smack_ipv6host_label(address); 2860 } 2861 2862 /* 2863 * The other end is a single label host. 2864 */ 2865 if (skp != NULL && object != NULL) 2866 return smk_ipv6_check(skp, object, address, act); 2867 if (skp == NULL) 2868 skp = smack_net_ambient; 2869 if (object == NULL) 2870 object = smack_net_ambient; 2871 2872 /* 2873 * It's remote, so port lookup does no good. 2874 */ 2875 if (!smk_ipv6_localhost(address)) 2876 return smk_ipv6_check(skp, object, address, act); 2877 2878 /* 2879 * It's local so the send check has to have passed. 2880 */ 2881 if (act == SMK_RECEIVING) 2882 return 0; 2883 2884 port = ntohs(address->sin6_port); 2885 rcu_read_lock(); 2886 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2887 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2888 continue; 2889 object = spp->smk_in; 2890 if (act == SMK_CONNECTING) 2891 ssp->smk_packet = spp->smk_out; 2892 break; 2893 } 2894 rcu_read_unlock(); 2895 2896 return smk_ipv6_check(skp, object, address, act); 2897} 2898#endif 2899 2900/** 2901 * smack_inode_setsecurity - set smack xattrs 2902 * @inode: the object 2903 * @name: attribute name 2904 * @value: attribute value 2905 * @size: size of the attribute 2906 * @flags: unused 2907 * 2908 * Sets the named attribute in the appropriate blob 2909 * 2910 * Returns 0 on success, or an error code 2911 */ 2912static int smack_inode_setsecurity(struct inode *inode, const char *name, 2913 const void *value, size_t size, int flags) 2914{ 2915 struct smack_known *skp; 2916 struct inode_smack *nsp = smack_inode(inode); 2917 struct socket_smack *ssp; 2918 struct socket *sock; 2919 int rc = 0; 2920 2921 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2922 return -EINVAL; 2923 2924 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2925 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2926 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2927 return -EINVAL; 2928 2929 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2930 return 0; 2931 } 2932 2933 skp = smk_import_entry(value, size); 2934 if (IS_ERR(skp)) 2935 return PTR_ERR(skp); 2936 2937 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2938 nsp->smk_inode = skp; 2939 nsp->smk_flags |= SMK_INODE_INSTANT; 2940 return 0; 2941 } 2942 /* 2943 * The rest of the Smack xattrs are only on sockets. 2944 */ 2945 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2946 return -EOPNOTSUPP; 2947 2948 sock = SOCKET_I(inode); 2949 if (sock == NULL || sock->sk == NULL) 2950 return -EOPNOTSUPP; 2951 2952 ssp = smack_sock(sock->sk); 2953 2954 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2955 ssp->smk_in = skp; 2956 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2957 ssp->smk_out = skp; 2958 if (sock->sk->sk_family == PF_INET) { 2959 rc = smack_netlbl_add(sock->sk); 2960 if (rc != 0) 2961 printk(KERN_WARNING 2962 "Smack: \"%s\" netlbl error %d.\n", 2963 __func__, -rc); 2964 } 2965 } else 2966 return -EOPNOTSUPP; 2967 2968#ifdef SMACK_IPV6_PORT_LABELING 2969 if (sock->sk->sk_family == PF_INET6) 2970 smk_ipv6_port_label(sock, NULL); 2971#endif 2972 2973 return 0; 2974} 2975 2976/** 2977 * smack_socket_post_create - finish socket setup 2978 * @sock: the socket 2979 * @family: protocol family 2980 * @type: unused 2981 * @protocol: unused 2982 * @kern: unused 2983 * 2984 * Sets the netlabel information on the socket 2985 * 2986 * Returns 0 on success, and error code otherwise 2987 */ 2988static int smack_socket_post_create(struct socket *sock, int family, 2989 int type, int protocol, int kern) 2990{ 2991 struct socket_smack *ssp; 2992 2993 if (sock->sk == NULL) 2994 return 0; 2995 2996 /* 2997 * Sockets created by kernel threads receive web label. 2998 */ 2999 if (unlikely(current->flags & PF_KTHREAD)) { 3000 ssp = smack_sock(sock->sk); 3001 ssp->smk_in = &smack_known_web; 3002 ssp->smk_out = &smack_known_web; 3003 } 3004 3005 if (family != PF_INET) 3006 return 0; 3007 /* 3008 * Set the outbound netlbl. 3009 */ 3010 return smack_netlbl_add(sock->sk); 3011} 3012 3013/** 3014 * smack_socket_socketpair - create socket pair 3015 * @socka: one socket 3016 * @sockb: another socket 3017 * 3018 * Cross reference the peer labels for SO_PEERSEC 3019 * 3020 * Returns 0 3021 */ 3022static int smack_socket_socketpair(struct socket *socka, 3023 struct socket *sockb) 3024{ 3025 struct socket_smack *asp = smack_sock(socka->sk); 3026 struct socket_smack *bsp = smack_sock(sockb->sk); 3027 3028 asp->smk_packet = bsp->smk_out; 3029 bsp->smk_packet = asp->smk_out; 3030 3031 return 0; 3032} 3033 3034#ifdef SMACK_IPV6_PORT_LABELING 3035/** 3036 * smack_socket_bind - record port binding information. 3037 * @sock: the socket 3038 * @address: the port address 3039 * @addrlen: size of the address 3040 * 3041 * Records the label bound to a port. 3042 * 3043 * Returns 0 on success, and error code otherwise 3044 */ 3045static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3046 int addrlen) 3047{ 3048 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3049 if (addrlen < SIN6_LEN_RFC2133 || 3050 address->sa_family != AF_INET6) 3051 return -EINVAL; 3052 smk_ipv6_port_label(sock, address); 3053 } 3054 return 0; 3055} 3056#endif /* SMACK_IPV6_PORT_LABELING */ 3057 3058/** 3059 * smack_socket_connect - connect access check 3060 * @sock: the socket 3061 * @sap: the other end 3062 * @addrlen: size of sap 3063 * 3064 * Verifies that a connection may be possible 3065 * 3066 * Returns 0 on success, and error code otherwise 3067 */ 3068static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3069 int addrlen) 3070{ 3071 int rc = 0; 3072 3073 if (sock->sk == NULL) 3074 return 0; 3075 if (sock->sk->sk_family != PF_INET && 3076 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3077 return 0; 3078 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3079 return 0; 3080 3081#if IS_ENABLED(CONFIG_IPV6) 3082 if (sap->sa_family == AF_INET6) { 3083 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3084 struct smack_known *rsp = NULL; 3085 3086 if (addrlen < SIN6_LEN_RFC2133) 3087 return 0; 3088 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3089 rsp = smack_ipv6host_label(sip); 3090 if (rsp != NULL) { 3091 struct socket_smack *ssp = smack_sock(sock->sk); 3092 3093 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3094 SMK_CONNECTING); 3095 } 3096#ifdef SMACK_IPV6_PORT_LABELING 3097 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3098#endif 3099 3100 return rc; 3101 } 3102#endif /* CONFIG_IPV6 */ 3103 3104 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3105 return 0; 3106 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3107 return rc; 3108} 3109 3110/** 3111 * smack_flags_to_may - convert S_ to MAY_ values 3112 * @flags: the S_ value 3113 * 3114 * Returns the equivalent MAY_ value 3115 */ 3116static int smack_flags_to_may(int flags) 3117{ 3118 int may = 0; 3119 3120 if (flags & S_IRUGO) 3121 may |= MAY_READ; 3122 if (flags & S_IWUGO) 3123 may |= MAY_WRITE; 3124 if (flags & S_IXUGO) 3125 may |= MAY_EXEC; 3126 3127 return may; 3128} 3129 3130/** 3131 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3132 * @msg: the object 3133 * 3134 * Returns 0 3135 */ 3136static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3137{ 3138 struct smack_known **blob = smack_msg_msg(msg); 3139 3140 *blob = smk_of_current(); 3141 return 0; 3142} 3143 3144/** 3145 * smack_of_ipc - the smack pointer for the ipc 3146 * @isp: the object 3147 * 3148 * Returns a pointer to the smack value 3149 */ 3150static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3151{ 3152 struct smack_known **blob = smack_ipc(isp); 3153 3154 return *blob; 3155} 3156 3157/** 3158 * smack_ipc_alloc_security - Set the security blob for ipc 3159 * @isp: the object 3160 * 3161 * Returns 0 3162 */ 3163static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3164{ 3165 struct smack_known **blob = smack_ipc(isp); 3166 3167 *blob = smk_of_current(); 3168 return 0; 3169} 3170 3171/** 3172 * smk_curacc_shm : check if current has access on shm 3173 * @isp : the object 3174 * @access : access requested 3175 * 3176 * Returns 0 if current has the requested access, error code otherwise 3177 */ 3178static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3179{ 3180 struct smack_known *ssp = smack_of_ipc(isp); 3181 struct smk_audit_info ad; 3182 int rc; 3183 3184#ifdef CONFIG_AUDIT 3185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3186 ad.a.u.ipc_id = isp->id; 3187#endif 3188 rc = smk_curacc(ssp, access, &ad); 3189 rc = smk_bu_current("shm", ssp, access, rc); 3190 return rc; 3191} 3192 3193/** 3194 * smack_shm_associate - Smack access check for shm 3195 * @isp: the object 3196 * @shmflg: access requested 3197 * 3198 * Returns 0 if current has the requested access, error code otherwise 3199 */ 3200static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3201{ 3202 int may; 3203 3204 may = smack_flags_to_may(shmflg); 3205 return smk_curacc_shm(isp, may); 3206} 3207 3208/** 3209 * smack_shm_shmctl - Smack access check for shm 3210 * @isp: the object 3211 * @cmd: what it wants to do 3212 * 3213 * Returns 0 if current has the requested access, error code otherwise 3214 */ 3215static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3216{ 3217 int may; 3218 3219 switch (cmd) { 3220 case IPC_STAT: 3221 case SHM_STAT: 3222 case SHM_STAT_ANY: 3223 may = MAY_READ; 3224 break; 3225 case IPC_SET: 3226 case SHM_LOCK: 3227 case SHM_UNLOCK: 3228 case IPC_RMID: 3229 may = MAY_READWRITE; 3230 break; 3231 case IPC_INFO: 3232 case SHM_INFO: 3233 /* 3234 * System level information. 3235 */ 3236 return 0; 3237 default: 3238 return -EINVAL; 3239 } 3240 return smk_curacc_shm(isp, may); 3241} 3242 3243/** 3244 * smack_shm_shmat - Smack access for shmat 3245 * @isp: the object 3246 * @shmaddr: unused 3247 * @shmflg: access requested 3248 * 3249 * Returns 0 if current has the requested access, error code otherwise 3250 */ 3251static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3252 int shmflg) 3253{ 3254 int may; 3255 3256 may = smack_flags_to_may(shmflg); 3257 return smk_curacc_shm(isp, may); 3258} 3259 3260/** 3261 * smk_curacc_sem : check if current has access on sem 3262 * @isp : the object 3263 * @access : access requested 3264 * 3265 * Returns 0 if current has the requested access, error code otherwise 3266 */ 3267static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3268{ 3269 struct smack_known *ssp = smack_of_ipc(isp); 3270 struct smk_audit_info ad; 3271 int rc; 3272 3273#ifdef CONFIG_AUDIT 3274 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3275 ad.a.u.ipc_id = isp->id; 3276#endif 3277 rc = smk_curacc(ssp, access, &ad); 3278 rc = smk_bu_current("sem", ssp, access, rc); 3279 return rc; 3280} 3281 3282/** 3283 * smack_sem_associate - Smack access check for sem 3284 * @isp: the object 3285 * @semflg: access requested 3286 * 3287 * Returns 0 if current has the requested access, error code otherwise 3288 */ 3289static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3290{ 3291 int may; 3292 3293 may = smack_flags_to_may(semflg); 3294 return smk_curacc_sem(isp, may); 3295} 3296 3297/** 3298 * smack_sem_semctl - Smack access check for sem 3299 * @isp: the object 3300 * @cmd: what it wants to do 3301 * 3302 * Returns 0 if current has the requested access, error code otherwise 3303 */ 3304static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3305{ 3306 int may; 3307 3308 switch (cmd) { 3309 case GETPID: 3310 case GETNCNT: 3311 case GETZCNT: 3312 case GETVAL: 3313 case GETALL: 3314 case IPC_STAT: 3315 case SEM_STAT: 3316 case SEM_STAT_ANY: 3317 may = MAY_READ; 3318 break; 3319 case SETVAL: 3320 case SETALL: 3321 case IPC_RMID: 3322 case IPC_SET: 3323 may = MAY_READWRITE; 3324 break; 3325 case IPC_INFO: 3326 case SEM_INFO: 3327 /* 3328 * System level information 3329 */ 3330 return 0; 3331 default: 3332 return -EINVAL; 3333 } 3334 3335 return smk_curacc_sem(isp, may); 3336} 3337 3338/** 3339 * smack_sem_semop - Smack checks of semaphore operations 3340 * @isp: the object 3341 * @sops: unused 3342 * @nsops: unused 3343 * @alter: unused 3344 * 3345 * Treated as read and write in all cases. 3346 * 3347 * Returns 0 if access is allowed, error code otherwise 3348 */ 3349static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3350 unsigned nsops, int alter) 3351{ 3352 return smk_curacc_sem(isp, MAY_READWRITE); 3353} 3354 3355/** 3356 * smk_curacc_msq : helper to check if current has access on msq 3357 * @isp : the msq 3358 * @access : access requested 3359 * 3360 * return 0 if current has access, error otherwise 3361 */ 3362static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3363{ 3364 struct smack_known *msp = smack_of_ipc(isp); 3365 struct smk_audit_info ad; 3366 int rc; 3367 3368#ifdef CONFIG_AUDIT 3369 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3370 ad.a.u.ipc_id = isp->id; 3371#endif 3372 rc = smk_curacc(msp, access, &ad); 3373 rc = smk_bu_current("msq", msp, access, rc); 3374 return rc; 3375} 3376 3377/** 3378 * smack_msg_queue_associate - Smack access check for msg_queue 3379 * @isp: the object 3380 * @msqflg: access requested 3381 * 3382 * Returns 0 if current has the requested access, error code otherwise 3383 */ 3384static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3385{ 3386 int may; 3387 3388 may = smack_flags_to_may(msqflg); 3389 return smk_curacc_msq(isp, may); 3390} 3391 3392/** 3393 * smack_msg_queue_msgctl - Smack access check for msg_queue 3394 * @isp: the object 3395 * @cmd: what it wants to do 3396 * 3397 * Returns 0 if current has the requested access, error code otherwise 3398 */ 3399static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3400{ 3401 int may; 3402 3403 switch (cmd) { 3404 case IPC_STAT: 3405 case MSG_STAT: 3406 case MSG_STAT_ANY: 3407 may = MAY_READ; 3408 break; 3409 case IPC_SET: 3410 case IPC_RMID: 3411 may = MAY_READWRITE; 3412 break; 3413 case IPC_INFO: 3414 case MSG_INFO: 3415 /* 3416 * System level information 3417 */ 3418 return 0; 3419 default: 3420 return -EINVAL; 3421 } 3422 3423 return smk_curacc_msq(isp, may); 3424} 3425 3426/** 3427 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3428 * @isp: the object 3429 * @msg: unused 3430 * @msqflg: access requested 3431 * 3432 * Returns 0 if current has the requested access, error code otherwise 3433 */ 3434static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3435 int msqflg) 3436{ 3437 int may; 3438 3439 may = smack_flags_to_may(msqflg); 3440 return smk_curacc_msq(isp, may); 3441} 3442 3443/** 3444 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3445 * @isp: the object 3446 * @msg: unused 3447 * @target: unused 3448 * @type: unused 3449 * @mode: unused 3450 * 3451 * Returns 0 if current has read and write access, error code otherwise 3452 */ 3453static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3454 struct msg_msg *msg, 3455 struct task_struct *target, long type, 3456 int mode) 3457{ 3458 return smk_curacc_msq(isp, MAY_READWRITE); 3459} 3460 3461/** 3462 * smack_ipc_permission - Smack access for ipc_permission() 3463 * @ipp: the object permissions 3464 * @flag: access requested 3465 * 3466 * Returns 0 if current has read and write access, error code otherwise 3467 */ 3468static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3469{ 3470 struct smack_known **blob = smack_ipc(ipp); 3471 struct smack_known *iskp = *blob; 3472 int may = smack_flags_to_may(flag); 3473 struct smk_audit_info ad; 3474 int rc; 3475 3476#ifdef CONFIG_AUDIT 3477 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3478 ad.a.u.ipc_id = ipp->id; 3479#endif 3480 rc = smk_curacc(iskp, may, &ad); 3481 rc = smk_bu_current("svipc", iskp, may, rc); 3482 return rc; 3483} 3484 3485/** 3486 * smack_ipc_getlsmprop - Extract smack security data 3487 * @ipp: the object permissions 3488 * @prop: where result will be saved 3489 */ 3490static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3491{ 3492 struct smack_known **iskpp = smack_ipc(ipp); 3493 3494 prop->smack.skp = *iskpp; 3495} 3496 3497/** 3498 * smack_d_instantiate - Make sure the blob is correct on an inode 3499 * @opt_dentry: dentry where inode will be attached 3500 * @inode: the object 3501 * 3502 * Set the inode's security blob if it hasn't been done already. 3503 */ 3504static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3505{ 3506 struct super_block *sbp; 3507 struct superblock_smack *sbsp; 3508 struct inode_smack *isp; 3509 struct smack_known *skp; 3510 struct smack_known *ckp = smk_of_current(); 3511 struct smack_known *final; 3512 char trattr[TRANS_TRUE_SIZE]; 3513 int transflag = 0; 3514 int rc; 3515 struct dentry *dp; 3516 3517 if (inode == NULL) 3518 return; 3519 3520 isp = smack_inode(inode); 3521 3522 /* 3523 * If the inode is already instantiated 3524 * take the quick way out 3525 */ 3526 if (isp->smk_flags & SMK_INODE_INSTANT) 3527 return; 3528 3529 sbp = inode->i_sb; 3530 sbsp = smack_superblock(sbp); 3531 /* 3532 * We're going to use the superblock default label 3533 * if there's no label on the file. 3534 */ 3535 final = sbsp->smk_default; 3536 3537 /* 3538 * If this is the root inode the superblock 3539 * may be in the process of initialization. 3540 * If that is the case use the root value out 3541 * of the superblock. 3542 */ 3543 if (opt_dentry->d_parent == opt_dentry) { 3544 switch (sbp->s_magic) { 3545 case CGROUP_SUPER_MAGIC: 3546 case CGROUP2_SUPER_MAGIC: 3547 /* 3548 * The cgroup filesystem is never mounted, 3549 * so there's no opportunity to set the mount 3550 * options. 3551 */ 3552 sbsp->smk_root = &smack_known_star; 3553 sbsp->smk_default = &smack_known_star; 3554 isp->smk_inode = sbsp->smk_root; 3555 break; 3556 case TMPFS_MAGIC: 3557 /* 3558 * What about shmem/tmpfs anonymous files with dentry 3559 * obtained from d_alloc_pseudo()? 3560 */ 3561 isp->smk_inode = smk_of_current(); 3562 break; 3563 case PIPEFS_MAGIC: 3564 isp->smk_inode = smk_of_current(); 3565 break; 3566 case SOCKFS_MAGIC: 3567 /* 3568 * Socket access is controlled by the socket 3569 * structures associated with the task involved. 3570 */ 3571 isp->smk_inode = &smack_known_star; 3572 break; 3573 default: 3574 isp->smk_inode = sbsp->smk_root; 3575 break; 3576 } 3577 isp->smk_flags |= SMK_INODE_INSTANT; 3578 return; 3579 } 3580 3581 /* 3582 * This is pretty hackish. 3583 * Casey says that we shouldn't have to do 3584 * file system specific code, but it does help 3585 * with keeping it simple. 3586 */ 3587 switch (sbp->s_magic) { 3588 case SMACK_MAGIC: 3589 case CGROUP_SUPER_MAGIC: 3590 case CGROUP2_SUPER_MAGIC: 3591 /* 3592 * Casey says that it's a little embarrassing 3593 * that the smack file system doesn't do 3594 * extended attributes. 3595 * 3596 * Cgroupfs is special 3597 */ 3598 final = &smack_known_star; 3599 break; 3600 case DEVPTS_SUPER_MAGIC: 3601 /* 3602 * devpts seems content with the label of the task. 3603 * Programs that change smack have to treat the 3604 * pty with respect. 3605 */ 3606 final = ckp; 3607 break; 3608 case PROC_SUPER_MAGIC: 3609 /* 3610 * Casey says procfs appears not to care. 3611 * The superblock default suffices. 3612 */ 3613 break; 3614 case TMPFS_MAGIC: 3615 /* 3616 * Device labels should come from the filesystem, 3617 * but watch out, because they're volitile, 3618 * getting recreated on every reboot. 3619 */ 3620 final = &smack_known_star; 3621 /* 3622 * If a smack value has been set we want to use it, 3623 * but since tmpfs isn't giving us the opportunity 3624 * to set mount options simulate setting the 3625 * superblock default. 3626 */ 3627 fallthrough; 3628 default: 3629 /* 3630 * This isn't an understood special case. 3631 * Get the value from the xattr. 3632 */ 3633 3634 /* 3635 * UDS inode has fixed label (*) 3636 */ 3637 if (S_ISSOCK(inode->i_mode)) { 3638 final = &smack_known_star; 3639 break; 3640 } 3641 /* 3642 * No xattr support means, alas, no SMACK label. 3643 * Use the aforeapplied default. 3644 * It would be curious if the label of the task 3645 * does not match that assigned. 3646 */ 3647 if (!(inode->i_opflags & IOP_XATTR)) 3648 break; 3649 /* 3650 * Get the dentry for xattr. 3651 */ 3652 dp = dget(opt_dentry); 3653 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3654 if (!IS_ERR_OR_NULL(skp)) 3655 final = skp; 3656 3657 /* 3658 * Transmuting directory 3659 */ 3660 if (S_ISDIR(inode->i_mode)) { 3661 /* 3662 * If this is a new directory and the label was 3663 * transmuted when the inode was initialized 3664 * set the transmute attribute on the directory 3665 * and mark the inode. 3666 * 3667 * If there is a transmute attribute on the 3668 * directory mark the inode. 3669 */ 3670 rc = __vfs_getxattr(dp, inode, 3671 XATTR_NAME_SMACKTRANSMUTE, trattr, 3672 TRANS_TRUE_SIZE); 3673 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3674 TRANS_TRUE_SIZE) != 0) 3675 rc = -EINVAL; 3676 if (rc >= 0) 3677 transflag = SMK_INODE_TRANSMUTE; 3678 } 3679 /* 3680 * Don't let the exec or mmap label be "*" or "@". 3681 */ 3682 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3683 if (IS_ERR(skp) || skp == &smack_known_star || 3684 skp == &smack_known_web) 3685 skp = NULL; 3686 isp->smk_task = skp; 3687 3688 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3689 if (IS_ERR(skp) || skp == &smack_known_star || 3690 skp == &smack_known_web) 3691 skp = NULL; 3692 isp->smk_mmap = skp; 3693 3694 dput(dp); 3695 break; 3696 } 3697 3698 if (final == NULL) 3699 isp->smk_inode = ckp; 3700 else 3701 isp->smk_inode = final; 3702 3703 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3704 3705 return; 3706} 3707 3708/** 3709 * smack_getselfattr - Smack current process attribute 3710 * @attr: which attribute to fetch 3711 * @ctx: buffer to receive the result 3712 * @size: available size in, actual size out 3713 * @flags: reserved, currently zero 3714 * 3715 * Fill the passed user space @ctx with the details of the requested 3716 * attribute. 3717 * 3718 * Returns the number of attributes on success, an error code otherwise. 3719 * There will only ever be one attribute. 3720 */ 3721static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3722 u32 *size, u32 flags) 3723{ 3724 int rc; 3725 struct smack_known *skp; 3726 3727 if (attr != LSM_ATTR_CURRENT) 3728 return -EOPNOTSUPP; 3729 3730 skp = smk_of_current(); 3731 rc = lsm_fill_user_ctx(ctx, size, 3732 skp->smk_known, strlen(skp->smk_known) + 1, 3733 LSM_ID_SMACK, 0); 3734 return (!rc ? 1 : rc); 3735} 3736 3737/** 3738 * smack_getprocattr - Smack process attribute access 3739 * @p: the object task 3740 * @name: the name of the attribute in /proc/.../attr 3741 * @value: where to put the result 3742 * 3743 * Places a copy of the task Smack into value 3744 * 3745 * Returns the length of the smack label or an error code 3746 */ 3747static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3748{ 3749 struct smack_known *skp = smk_of_task_struct_obj(p); 3750 char *cp; 3751 int slen; 3752 3753 if (strcmp(name, "current") != 0) 3754 return -EINVAL; 3755 3756 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3757 if (cp == NULL) 3758 return -ENOMEM; 3759 3760 slen = strlen(cp); 3761 *value = cp; 3762 return slen; 3763} 3764 3765/** 3766 * do_setattr - Smack process attribute setting 3767 * @attr: the ID of the attribute 3768 * @value: the value to set 3769 * @size: the size of the value 3770 * 3771 * Sets the Smack value of the task. Only setting self 3772 * is permitted and only with privilege 3773 * 3774 * Returns zero on success or an error code 3775 */ 3776static int do_setattr(unsigned int attr, void *value, size_t size) 3777{ 3778 struct task_smack *tsp = smack_cred(current_cred()); 3779 struct cred *new; 3780 struct smack_known *skp; 3781 int label_len; 3782 3783 /* 3784 * let unprivileged user validate input, check permissions later 3785 */ 3786 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3787 return -EINVAL; 3788 3789 label_len = smk_parse_label_len(value, size); 3790 if (label_len < 0 || label_len != size) 3791 return -EINVAL; 3792 3793 /* 3794 * No process is ever allowed the web ("@") label 3795 * and the star ("*") label. 3796 */ 3797 if (label_len == 1 /* '@', '*' */) { 3798 const char c = *(const char *)value; 3799 3800 if (c == *smack_known_web.smk_known || 3801 c == *smack_known_star.smk_known) 3802 return -EPERM; 3803 } 3804 3805 if (!smack_privileged(CAP_MAC_ADMIN)) { 3806 const struct smack_known_list_elem *sklep; 3807 list_for_each_entry(sklep, &tsp->smk_relabel, list) { 3808 const char *cp = sklep->smk_label->smk_known; 3809 3810 if (strlen(cp) == label_len && 3811 strncmp(cp, value, label_len) == 0) 3812 goto in_relabel; 3813 } 3814 return -EPERM; 3815in_relabel: 3816 ; 3817 } 3818 3819 skp = smk_import_valid_label(value, label_len, GFP_KERNEL); 3820 if (IS_ERR(skp)) 3821 return PTR_ERR(skp); 3822 3823 new = prepare_creds(); 3824 if (new == NULL) 3825 return -ENOMEM; 3826 3827 tsp = smack_cred(new); 3828 tsp->smk_task = skp; 3829 /* 3830 * process can change its label only once 3831 */ 3832 smk_destroy_label_list(&tsp->smk_relabel); 3833 3834 commit_creds(new); 3835 return 0; 3836} 3837 3838/** 3839 * smack_setselfattr - Set a Smack process attribute 3840 * @attr: which attribute to set 3841 * @ctx: buffer containing the data 3842 * @size: size of @ctx 3843 * @flags: reserved, must be zero 3844 * 3845 * Fill the passed user space @ctx with the details of the requested 3846 * attribute. 3847 * 3848 * Returns 0 on success, an error code otherwise. 3849 */ 3850static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3851 u32 size, u32 flags) 3852{ 3853 if (attr != LSM_ATTR_CURRENT) 3854 return -EOPNOTSUPP; 3855 3856 if (ctx->flags) 3857 return -EINVAL; 3858 /* 3859 * string must have \0 terminator, included in ctx->ctx 3860 * (see description of struct lsm_ctx) 3861 */ 3862 if (ctx->ctx_len == 0) 3863 return -EINVAL; 3864 3865 if (ctx->ctx[ctx->ctx_len - 1] != '\0') 3866 return -EINVAL; 3867 /* 3868 * other do_setattr() caller, smack_setprocattr(), 3869 * does not count \0 into size, so 3870 * decreasing length by 1 to accommodate the divergence. 3871 */ 3872 return do_setattr(attr, ctx->ctx, ctx->ctx_len - 1); 3873} 3874 3875/** 3876 * smack_setprocattr - Smack process attribute setting 3877 * @name: the name of the attribute in /proc/.../attr 3878 * @value: the value to set 3879 * @size: the size of the value 3880 * 3881 * Sets the Smack value of the task. Only setting self 3882 * is permitted and only with privilege 3883 * 3884 * Returns the size of the input value or an error code 3885 */ 3886static int smack_setprocattr(const char *name, void *value, size_t size) 3887{ 3888 size_t realsize = size; 3889 unsigned int attr = lsm_name_to_attr(name); 3890 3891 switch (attr) { 3892 case LSM_ATTR_UNDEF: return -EINVAL; 3893 default: return -EOPNOTSUPP; 3894 case LSM_ATTR_CURRENT: 3895 ; 3896 } 3897 3898 /* 3899 * The value for the "current" attribute is the label 3900 * followed by one of the 4 trailers: none, \0, \n, \n\0 3901 * 3902 * I.e. following inputs are accepted as 3-characters long label "foo": 3903 * 3904 * "foo" (3 characters) 3905 * "foo\0" (4 characters) 3906 * "foo\n" (4 characters) 3907 * "foo\n\0" (5 characters) 3908 */ 3909 3910 if (realsize && (((const char *)value)[realsize - 1] == '\0')) 3911 --realsize; 3912 3913 if (realsize && (((const char *)value)[realsize - 1] == '\n')) 3914 --realsize; 3915 3916 return do_setattr(attr, value, realsize) ? : size; 3917} 3918 3919/** 3920 * smack_unix_stream_connect - Smack access on UDS 3921 * @sock: one sock 3922 * @other: the other sock 3923 * @newsk: unused 3924 * 3925 * Return 0 if a subject with the smack of sock could access 3926 * an object with the smack of other, otherwise an error code 3927 */ 3928static int smack_unix_stream_connect(struct sock *sock, 3929 struct sock *other, struct sock *newsk) 3930{ 3931 struct smack_known *skp; 3932 struct smack_known *okp; 3933 struct socket_smack *ssp = smack_sock(sock); 3934 struct socket_smack *osp = smack_sock(other); 3935 struct socket_smack *nsp = smack_sock(newsk); 3936 struct smk_audit_info ad; 3937 int rc = 0; 3938#ifdef CONFIG_AUDIT 3939 struct lsm_network_audit net; 3940#endif 3941 3942 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3943 skp = ssp->smk_out; 3944 okp = osp->smk_in; 3945#ifdef CONFIG_AUDIT 3946 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3947 smk_ad_setfield_u_net_sk(&ad, other); 3948#endif 3949 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3950 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3951 if (rc == 0) { 3952 okp = osp->smk_out; 3953 skp = ssp->smk_in; 3954 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3955 rc = smk_bu_note("UDS connect", okp, skp, 3956 MAY_WRITE, rc); 3957 } 3958 } 3959 3960 if (rc == 0) { 3961 /* 3962 * Cross reference the peer labels for SO_PEERSEC. 3963 */ 3964 nsp->smk_packet = ssp->smk_out; 3965 ssp->smk_packet = osp->smk_out; 3966 3967 /* 3968 * new/child/established socket must inherit listening socket labels 3969 */ 3970 nsp->smk_out = osp->smk_out; 3971 nsp->smk_in = osp->smk_in; 3972 } 3973 3974 return rc; 3975} 3976 3977/** 3978 * smack_unix_may_send - Smack access on UDS 3979 * @sock: one socket 3980 * @other: the other socket 3981 * 3982 * Return 0 if a subject with the smack of sock could access 3983 * an object with the smack of other, otherwise an error code 3984 */ 3985static int smack_unix_may_send(struct socket *sock, struct socket *other) 3986{ 3987 struct socket_smack *ssp = smack_sock(sock->sk); 3988 struct socket_smack *osp = smack_sock(other->sk); 3989 struct smk_audit_info ad; 3990 int rc; 3991 3992#ifdef CONFIG_AUDIT 3993 struct lsm_network_audit net; 3994 3995 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3996 smk_ad_setfield_u_net_sk(&ad, other->sk); 3997#endif 3998 3999 if (smack_privileged(CAP_MAC_OVERRIDE)) 4000 return 0; 4001 4002 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 4003 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 4004 return rc; 4005} 4006 4007/** 4008 * smack_socket_sendmsg - Smack check based on destination host 4009 * @sock: the socket 4010 * @msg: the message 4011 * @size: the size of the message 4012 * 4013 * Return 0 if the current subject can write to the destination host. 4014 * For IPv4 this is only a question if the destination is a single label host. 4015 * For IPv6 this is a check against the label of the port. 4016 */ 4017static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4018 int size) 4019{ 4020 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 4021#if IS_ENABLED(CONFIG_IPV6) 4022 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 4023#endif 4024#ifdef SMACK_IPV6_SECMARK_LABELING 4025 struct socket_smack *ssp = smack_sock(sock->sk); 4026 struct smack_known *rsp; 4027#endif 4028 int rc = 0; 4029 4030 /* 4031 * Perfectly reasonable for this to be NULL 4032 */ 4033 if (sip == NULL) 4034 return 0; 4035 4036 switch (sock->sk->sk_family) { 4037 case AF_INET: 4038 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 4039 sip->sin_family != AF_INET) 4040 return -EINVAL; 4041 rc = smk_ipv4_check(sock->sk, sip); 4042 break; 4043#if IS_ENABLED(CONFIG_IPV6) 4044 case AF_INET6: 4045 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 4046 sap->sin6_family != AF_INET6) 4047 return -EINVAL; 4048#ifdef SMACK_IPV6_SECMARK_LABELING 4049 rsp = smack_ipv6host_label(sap); 4050 if (rsp != NULL) 4051 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 4052 SMK_CONNECTING); 4053#endif 4054#ifdef SMACK_IPV6_PORT_LABELING 4055 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 4056#endif 4057#endif /* IS_ENABLED(CONFIG_IPV6) */ 4058 break; 4059 } 4060 return rc; 4061} 4062 4063/** 4064 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 4065 * @sap: netlabel secattr 4066 * @ssp: socket security information 4067 * 4068 * Returns a pointer to a Smack label entry found on the label list. 4069 */ 4070static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 4071 struct socket_smack *ssp) 4072{ 4073 struct smack_known *skp; 4074 int found = 0; 4075 int acat; 4076 int kcat; 4077 4078 /* 4079 * Netlabel found it in the cache. 4080 */ 4081 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 4082 return (struct smack_known *)sap->cache->data; 4083 4084 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 4085 /* 4086 * Looks like a fallback, which gives us a secid. 4087 */ 4088 return smack_from_secid(sap->attr.secid); 4089 4090 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 4091 /* 4092 * Looks like a CIPSO packet. 4093 * If there are flags but no level netlabel isn't 4094 * behaving the way we expect it to. 4095 * 4096 * Look it up in the label table 4097 * Without guidance regarding the smack value 4098 * for the packet fall back on the network 4099 * ambient value. 4100 */ 4101 rcu_read_lock(); 4102 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4103 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4104 continue; 4105 /* 4106 * Compare the catsets. Use the netlbl APIs. 4107 */ 4108 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4109 if ((skp->smk_netlabel.flags & 4110 NETLBL_SECATTR_MLS_CAT) == 0) 4111 found = 1; 4112 break; 4113 } 4114 for (acat = -1, kcat = -1; acat == kcat; ) { 4115 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4116 acat + 1); 4117 kcat = netlbl_catmap_walk( 4118 skp->smk_netlabel.attr.mls.cat, 4119 kcat + 1); 4120 if (acat < 0 || kcat < 0) 4121 break; 4122 } 4123 if (acat == kcat) { 4124 found = 1; 4125 break; 4126 } 4127 } 4128 rcu_read_unlock(); 4129 4130 if (found) 4131 return skp; 4132 4133 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4134 return &smack_known_web; 4135 return &smack_known_star; 4136 } 4137 /* 4138 * Without guidance regarding the smack value 4139 * for the packet fall back on the network 4140 * ambient value. 4141 */ 4142 return smack_net_ambient; 4143} 4144 4145#if IS_ENABLED(CONFIG_IPV6) 4146static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4147{ 4148 u8 nexthdr; 4149 int offset; 4150 int proto = -EINVAL; 4151 struct ipv6hdr _ipv6h; 4152 struct ipv6hdr *ip6; 4153 __be16 frag_off; 4154 struct tcphdr _tcph, *th; 4155 struct udphdr _udph, *uh; 4156 4157 sip->sin6_port = 0; 4158 4159 offset = skb_network_offset(skb); 4160 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4161 if (ip6 == NULL) 4162 return -EINVAL; 4163 sip->sin6_addr = ip6->saddr; 4164 4165 nexthdr = ip6->nexthdr; 4166 offset += sizeof(_ipv6h); 4167 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4168 if (offset < 0) 4169 return -EINVAL; 4170 4171 proto = nexthdr; 4172 switch (proto) { 4173 case IPPROTO_TCP: 4174 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4175 if (th != NULL) 4176 sip->sin6_port = th->source; 4177 break; 4178 case IPPROTO_UDP: 4179 case IPPROTO_UDPLITE: 4180 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4181 if (uh != NULL) 4182 sip->sin6_port = uh->source; 4183 break; 4184 } 4185 return proto; 4186} 4187#endif /* CONFIG_IPV6 */ 4188 4189/** 4190 * smack_from_skb - Smack data from the secmark in an skb 4191 * @skb: packet 4192 * 4193 * Returns smack_known of the secmark or NULL if that won't work. 4194 */ 4195#ifdef CONFIG_NETWORK_SECMARK 4196static struct smack_known *smack_from_skb(struct sk_buff *skb) 4197{ 4198 if (skb == NULL || skb->secmark == 0) 4199 return NULL; 4200 4201 return smack_from_secid(skb->secmark); 4202} 4203#else 4204static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4205{ 4206 return NULL; 4207} 4208#endif 4209 4210/** 4211 * smack_from_netlbl - Smack data from the IP options in an skb 4212 * @sk: socket data came in on 4213 * @family: address family 4214 * @skb: packet 4215 * 4216 * Find the Smack label in the IP options. If it hasn't been 4217 * added to the netlabel cache, add it here. 4218 * 4219 * Returns smack_known of the IP options or NULL if that won't work. 4220 */ 4221static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4222 struct sk_buff *skb) 4223{ 4224 struct netlbl_lsm_secattr secattr; 4225 struct socket_smack *ssp = NULL; 4226 struct smack_known *skp = NULL; 4227 4228 netlbl_secattr_init(&secattr); 4229 4230 if (sk) 4231 ssp = smack_sock(sk); 4232 4233 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4234 skp = smack_from_secattr(&secattr, ssp); 4235 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4236 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4237 } 4238 4239 netlbl_secattr_destroy(&secattr); 4240 4241 return skp; 4242} 4243 4244/** 4245 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4246 * @sk: socket 4247 * @skb: packet 4248 * 4249 * Returns 0 if the packet should be delivered, an error code otherwise 4250 */ 4251static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4252{ 4253 struct socket_smack *ssp = smack_sock(sk); 4254 struct smack_known *skp = NULL; 4255 int rc = 0; 4256 struct smk_audit_info ad; 4257 u16 family = sk->sk_family; 4258#ifdef CONFIG_AUDIT 4259 struct lsm_network_audit net; 4260#endif 4261#if IS_ENABLED(CONFIG_IPV6) 4262 struct sockaddr_in6 sadd; 4263 int proto; 4264 4265 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4266 family = PF_INET; 4267#endif /* CONFIG_IPV6 */ 4268 4269 switch (family) { 4270 case PF_INET: 4271 /* 4272 * If there is a secmark use it rather than the CIPSO label. 4273 * If there is no secmark fall back to CIPSO. 4274 * The secmark is assumed to reflect policy better. 4275 */ 4276 skp = smack_from_skb(skb); 4277 if (skp == NULL) { 4278 skp = smack_from_netlbl(sk, family, skb); 4279 if (skp == NULL) 4280 skp = smack_net_ambient; 4281 } 4282 4283#ifdef CONFIG_AUDIT 4284 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4285 ad.a.u.net->family = family; 4286 ad.a.u.net->netif = skb->skb_iif; 4287 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4288#endif 4289 /* 4290 * Receiving a packet requires that the other end 4291 * be able to write here. Read access is not required. 4292 * This is the simplest possible security model 4293 * for networking. 4294 */ 4295 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4296 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4297 MAY_WRITE, rc); 4298 if (rc != 0) 4299 netlbl_skbuff_err(skb, family, rc, 0); 4300 break; 4301#if IS_ENABLED(CONFIG_IPV6) 4302 case PF_INET6: 4303 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4304 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4305 proto != IPPROTO_TCP) 4306 break; 4307#ifdef SMACK_IPV6_SECMARK_LABELING 4308 skp = smack_from_skb(skb); 4309 if (skp == NULL) { 4310 if (smk_ipv6_localhost(&sadd)) 4311 break; 4312 skp = smack_ipv6host_label(&sadd); 4313 if (skp == NULL) 4314 skp = smack_net_ambient; 4315 } 4316#ifdef CONFIG_AUDIT 4317 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4318 ad.a.u.net->family = family; 4319 ad.a.u.net->netif = skb->skb_iif; 4320 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4321#endif /* CONFIG_AUDIT */ 4322 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4323 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4324 MAY_WRITE, rc); 4325#endif /* SMACK_IPV6_SECMARK_LABELING */ 4326#ifdef SMACK_IPV6_PORT_LABELING 4327 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4328#endif /* SMACK_IPV6_PORT_LABELING */ 4329 if (rc != 0) 4330 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4331 ICMPV6_ADM_PROHIBITED, 0); 4332 break; 4333#endif /* CONFIG_IPV6 */ 4334 } 4335 4336 return rc; 4337} 4338 4339/** 4340 * smack_socket_getpeersec_stream - pull in packet label 4341 * @sock: the socket 4342 * @optval: user's destination 4343 * @optlen: size thereof 4344 * @len: max thereof 4345 * 4346 * returns zero on success, an error code otherwise 4347 */ 4348static int smack_socket_getpeersec_stream(struct socket *sock, 4349 sockptr_t optval, sockptr_t optlen, 4350 unsigned int len) 4351{ 4352 struct socket_smack *ssp; 4353 char *rcp = ""; 4354 u32 slen = 1; 4355 int rc = 0; 4356 4357 ssp = smack_sock(sock->sk); 4358 if (ssp->smk_packet != NULL) { 4359 rcp = ssp->smk_packet->smk_known; 4360 slen = strlen(rcp) + 1; 4361 } 4362 if (slen > len) { 4363 rc = -ERANGE; 4364 goto out_len; 4365 } 4366 4367 if (copy_to_sockptr(optval, rcp, slen)) 4368 rc = -EFAULT; 4369out_len: 4370 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4371 rc = -EFAULT; 4372 return rc; 4373} 4374 4375 4376/** 4377 * smack_socket_getpeersec_dgram - pull in packet label 4378 * @sock: the peer socket 4379 * @skb: packet data 4380 * @secid: pointer to where to put the secid of the packet 4381 * 4382 * Sets the netlabel socket state on sk from parent 4383 */ 4384static int smack_socket_getpeersec_dgram(struct socket *sock, 4385 struct sk_buff *skb, u32 *secid) 4386 4387{ 4388 struct socket_smack *ssp = NULL; 4389 struct smack_known *skp; 4390 struct sock *sk = NULL; 4391 int family = PF_UNSPEC; 4392 u32 s = 0; /* 0 is the invalid secid */ 4393 4394 if (skb != NULL) { 4395 if (skb->protocol == htons(ETH_P_IP)) 4396 family = PF_INET; 4397#if IS_ENABLED(CONFIG_IPV6) 4398 else if (skb->protocol == htons(ETH_P_IPV6)) 4399 family = PF_INET6; 4400#endif /* CONFIG_IPV6 */ 4401 } 4402 if (family == PF_UNSPEC && sock != NULL) 4403 family = sock->sk->sk_family; 4404 4405 switch (family) { 4406 case PF_UNIX: 4407 ssp = smack_sock(sock->sk); 4408 s = ssp->smk_out->smk_secid; 4409 break; 4410 case PF_INET: 4411 skp = smack_from_skb(skb); 4412 if (skp) { 4413 s = skp->smk_secid; 4414 break; 4415 } 4416 /* 4417 * Translate what netlabel gave us. 4418 */ 4419 if (sock != NULL) 4420 sk = sock->sk; 4421 skp = smack_from_netlbl(sk, family, skb); 4422 if (skp != NULL) 4423 s = skp->smk_secid; 4424 break; 4425 case PF_INET6: 4426#ifdef SMACK_IPV6_SECMARK_LABELING 4427 skp = smack_from_skb(skb); 4428 if (skp) 4429 s = skp->smk_secid; 4430#endif 4431 break; 4432 } 4433 *secid = s; 4434 if (s == 0) 4435 return -EINVAL; 4436 return 0; 4437} 4438 4439/** 4440 * smack_inet_conn_request - Smack access check on connect 4441 * @sk: socket involved 4442 * @skb: packet 4443 * @req: unused 4444 * 4445 * Returns 0 if a task with the packet label could write to 4446 * the socket, otherwise an error code 4447 */ 4448static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4449 struct request_sock *req) 4450{ 4451 u16 family = sk->sk_family; 4452 struct smack_known *skp; 4453 struct socket_smack *ssp = smack_sock(sk); 4454 struct sockaddr_in addr; 4455 struct iphdr *hdr; 4456 struct smack_known *hskp; 4457 int rc; 4458 struct smk_audit_info ad; 4459#ifdef CONFIG_AUDIT 4460 struct lsm_network_audit net; 4461#endif 4462 4463#if IS_ENABLED(CONFIG_IPV6) 4464 if (family == PF_INET6) { 4465 /* 4466 * Handle mapped IPv4 packets arriving 4467 * via IPv6 sockets. Don't set up netlabel 4468 * processing on IPv6. 4469 */ 4470 if (skb->protocol == htons(ETH_P_IP)) 4471 family = PF_INET; 4472 else 4473 return 0; 4474 } 4475#endif /* CONFIG_IPV6 */ 4476 4477 /* 4478 * If there is a secmark use it rather than the CIPSO label. 4479 * If there is no secmark fall back to CIPSO. 4480 * The secmark is assumed to reflect policy better. 4481 */ 4482 skp = smack_from_skb(skb); 4483 if (skp == NULL) { 4484 skp = smack_from_netlbl(sk, family, skb); 4485 if (skp == NULL) 4486 skp = &smack_known_huh; 4487 } 4488 4489#ifdef CONFIG_AUDIT 4490 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4491 ad.a.u.net->family = family; 4492 ad.a.u.net->netif = skb->skb_iif; 4493 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4494#endif 4495 /* 4496 * Receiving a packet requires that the other end be able to write 4497 * here. Read access is not required. 4498 */ 4499 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4500 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4501 if (rc != 0) 4502 return rc; 4503 4504 /* 4505 * Save the peer's label in the request_sock so we can later setup 4506 * smk_packet in the child socket so that SO_PEERCRED can report it. 4507 */ 4508 req->peer_secid = skp->smk_secid; 4509 4510 /* 4511 * We need to decide if we want to label the incoming connection here 4512 * if we do we only need to label the request_sock and the stack will 4513 * propagate the wire-label to the sock when it is created. 4514 */ 4515 hdr = ip_hdr(skb); 4516 addr.sin_addr.s_addr = hdr->saddr; 4517 rcu_read_lock(); 4518 hskp = smack_ipv4host_label(&addr); 4519 rcu_read_unlock(); 4520 4521 if (hskp == NULL) 4522 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4523 else 4524 netlbl_req_delattr(req); 4525 4526 return rc; 4527} 4528 4529/** 4530 * smack_inet_csk_clone - Copy the connection information to the new socket 4531 * @sk: the new socket 4532 * @req: the connection's request_sock 4533 * 4534 * Transfer the connection's peer label to the newly created socket. 4535 */ 4536static void smack_inet_csk_clone(struct sock *sk, 4537 const struct request_sock *req) 4538{ 4539 struct socket_smack *ssp = smack_sock(sk); 4540 struct smack_known *skp; 4541 4542 if (req->peer_secid != 0) { 4543 skp = smack_from_secid(req->peer_secid); 4544 ssp->smk_packet = skp; 4545 } else 4546 ssp->smk_packet = NULL; 4547} 4548 4549/* 4550 * Key management security hooks 4551 * 4552 * Casey has not tested key support very heavily. 4553 * The permission check is most likely too restrictive. 4554 * If you care about keys please have a look. 4555 */ 4556#ifdef CONFIG_KEYS 4557 4558/** 4559 * smack_key_alloc - Set the key security blob 4560 * @key: object 4561 * @cred: the credentials to use 4562 * @flags: unused 4563 * 4564 * No allocation required 4565 * 4566 * Returns 0 4567 */ 4568static int smack_key_alloc(struct key *key, const struct cred *cred, 4569 unsigned long flags) 4570{ 4571 struct smack_known **blob = smack_key(key); 4572 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4573 4574 *blob = skp; 4575 return 0; 4576} 4577 4578/** 4579 * smack_key_permission - Smack access on a key 4580 * @key_ref: gets to the object 4581 * @cred: the credentials to use 4582 * @need_perm: requested key permission 4583 * 4584 * Return 0 if the task has read and write to the object, 4585 * an error code otherwise 4586 */ 4587static int smack_key_permission(key_ref_t key_ref, 4588 const struct cred *cred, 4589 enum key_need_perm need_perm) 4590{ 4591 struct smack_known **blob; 4592 struct smack_known *skp; 4593 struct key *keyp; 4594 struct smk_audit_info ad; 4595 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4596 int request = 0; 4597 int rc; 4598 4599 /* 4600 * Validate requested permissions 4601 */ 4602 switch (need_perm) { 4603 case KEY_NEED_READ: 4604 case KEY_NEED_SEARCH: 4605 case KEY_NEED_VIEW: 4606 request |= MAY_READ; 4607 break; 4608 case KEY_NEED_WRITE: 4609 case KEY_NEED_LINK: 4610 case KEY_NEED_SETATTR: 4611 request |= MAY_WRITE; 4612 break; 4613 case KEY_NEED_UNSPECIFIED: 4614 case KEY_NEED_UNLINK: 4615 case KEY_SYSADMIN_OVERRIDE: 4616 case KEY_AUTHTOKEN_OVERRIDE: 4617 case KEY_DEFER_PERM_CHECK: 4618 return 0; 4619 default: 4620 return -EINVAL; 4621 } 4622 4623 keyp = key_ref_to_ptr(key_ref); 4624 if (keyp == NULL) 4625 return -EINVAL; 4626 /* 4627 * If the key hasn't been initialized give it access so that 4628 * it may do so. 4629 */ 4630 blob = smack_key(keyp); 4631 skp = *blob; 4632 if (skp == NULL) 4633 return 0; 4634 /* 4635 * This should not occur 4636 */ 4637 if (tkp == NULL) 4638 return -EACCES; 4639 4640 if (smack_privileged(CAP_MAC_OVERRIDE)) 4641 return 0; 4642 4643#ifdef CONFIG_AUDIT 4644 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4645 ad.a.u.key_struct.key = keyp->serial; 4646 ad.a.u.key_struct.key_desc = keyp->description; 4647#endif 4648 rc = smk_access(tkp, skp, request, &ad); 4649 rc = smk_bu_note("key access", tkp, skp, request, rc); 4650 return rc; 4651} 4652 4653/* 4654 * smack_key_getsecurity - Smack label tagging the key 4655 * @key points to the key to be queried 4656 * @_buffer points to a pointer that should be set to point to the 4657 * resulting string (if no label or an error occurs). 4658 * Return the length of the string (including terminating NUL) or -ve if 4659 * an error. 4660 * May also return 0 (and a NULL buffer pointer) if there is no label. 4661 */ 4662static int smack_key_getsecurity(struct key *key, char **_buffer) 4663{ 4664 struct smack_known **blob = smack_key(key); 4665 struct smack_known *skp = *blob; 4666 size_t length; 4667 char *copy; 4668 4669 if (skp == NULL) { 4670 *_buffer = NULL; 4671 return 0; 4672 } 4673 4674 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4675 if (copy == NULL) 4676 return -ENOMEM; 4677 length = strlen(copy) + 1; 4678 4679 *_buffer = copy; 4680 return length; 4681} 4682 4683 4684#ifdef CONFIG_KEY_NOTIFICATIONS 4685/** 4686 * smack_watch_key - Smack access to watch a key for notifications. 4687 * @key: The key to be watched 4688 * 4689 * Return 0 if the @watch->cred has permission to read from the key object and 4690 * an error otherwise. 4691 */ 4692static int smack_watch_key(struct key *key) 4693{ 4694 struct smk_audit_info ad; 4695 struct smack_known *tkp = smk_of_current(); 4696 struct smack_known **blob = smack_key(key); 4697 int rc; 4698 4699 /* 4700 * This should not occur 4701 */ 4702 if (tkp == NULL) 4703 return -EACCES; 4704 4705 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4706 return 0; 4707 4708#ifdef CONFIG_AUDIT 4709 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4710 ad.a.u.key_struct.key = key->serial; 4711 ad.a.u.key_struct.key_desc = key->description; 4712#endif 4713 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4714 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4715 return rc; 4716} 4717#endif /* CONFIG_KEY_NOTIFICATIONS */ 4718#endif /* CONFIG_KEYS */ 4719 4720#ifdef CONFIG_WATCH_QUEUE 4721/** 4722 * smack_post_notification - Smack access to post a notification to a queue 4723 * @w_cred: The credentials of the watcher. 4724 * @cred: The credentials of the event source (may be NULL). 4725 * @n: The notification message to be posted. 4726 */ 4727static int smack_post_notification(const struct cred *w_cred, 4728 const struct cred *cred, 4729 struct watch_notification *n) 4730{ 4731 struct smk_audit_info ad; 4732 struct smack_known *subj, *obj; 4733 int rc; 4734 4735 /* Always let maintenance notifications through. */ 4736 if (n->type == WATCH_TYPE_META) 4737 return 0; 4738 4739 if (!cred) 4740 return 0; 4741 subj = smk_of_task(smack_cred(cred)); 4742 obj = smk_of_task(smack_cred(w_cred)); 4743 4744 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4745 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4746 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4747 return rc; 4748} 4749#endif /* CONFIG_WATCH_QUEUE */ 4750 4751/* 4752 * Smack Audit hooks 4753 * 4754 * Audit requires a unique representation of each Smack specific 4755 * rule. This unique representation is used to distinguish the 4756 * object to be audited from remaining kernel objects and also 4757 * works as a glue between the audit hooks. 4758 * 4759 * Since repository entries are added but never deleted, we'll use 4760 * the smack_known label address related to the given audit rule as 4761 * the needed unique representation. This also better fits the smack 4762 * model where nearly everything is a label. 4763 */ 4764#ifdef CONFIG_AUDIT 4765 4766/** 4767 * smack_audit_rule_init - Initialize a smack audit rule 4768 * @field: audit rule fields given from user-space (audit.h) 4769 * @op: required testing operator (=, !=, >, <, ...) 4770 * @rulestr: smack label to be audited 4771 * @vrule: pointer to save our own audit rule representation 4772 * @gfp: type of the memory for the allocation 4773 * 4774 * Prepare to audit cases where (@field @op @rulestr) is true. 4775 * The label to be audited is created if necessary. 4776 */ 4777static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4778 gfp_t gfp) 4779{ 4780 struct smack_known *skp; 4781 char **rule = (char **)vrule; 4782 *rule = NULL; 4783 4784 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4785 return -EINVAL; 4786 4787 if (op != Audit_equal && op != Audit_not_equal) 4788 return -EINVAL; 4789 4790 skp = smk_import_entry(rulestr, 0); 4791 if (IS_ERR(skp)) 4792 return PTR_ERR(skp); 4793 4794 *rule = skp->smk_known; 4795 4796 return 0; 4797} 4798 4799/** 4800 * smack_audit_rule_known - Distinguish Smack audit rules 4801 * @krule: rule of interest, in Audit kernel representation format 4802 * 4803 * This is used to filter Smack rules from remaining Audit ones. 4804 * If it's proved that this rule belongs to us, the 4805 * audit_rule_match hook will be called to do the final judgement. 4806 */ 4807static int smack_audit_rule_known(struct audit_krule *krule) 4808{ 4809 struct audit_field *f; 4810 int i; 4811 4812 for (i = 0; i < krule->field_count; i++) { 4813 f = &krule->fields[i]; 4814 4815 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4816 return 1; 4817 } 4818 4819 return 0; 4820} 4821 4822/** 4823 * smack_audit_rule_match - Audit given object ? 4824 * @prop: security id for identifying the object to test 4825 * @field: audit rule flags given from user-space 4826 * @op: required testing operator 4827 * @vrule: smack internal rule presentation 4828 * 4829 * The core Audit hook. It's used to take the decision of 4830 * whether to audit or not to audit a given object. 4831 */ 4832static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4833 void *vrule) 4834{ 4835 struct smack_known *skp = prop->smack.skp; 4836 char *rule = vrule; 4837 4838 if (unlikely(!rule)) { 4839 WARN_ONCE(1, "Smack: missing rule\n"); 4840 return -ENOENT; 4841 } 4842 4843 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4844 return 0; 4845 4846 /* 4847 * No need to do string comparisons. If a match occurs, 4848 * both pointers will point to the same smack_known 4849 * label. 4850 */ 4851 if (op == Audit_equal) 4852 return (rule == skp->smk_known); 4853 if (op == Audit_not_equal) 4854 return (rule != skp->smk_known); 4855 4856 return 0; 4857} 4858 4859/* 4860 * There is no need for a smack_audit_rule_free hook. 4861 * No memory was allocated. 4862 */ 4863 4864#endif /* CONFIG_AUDIT */ 4865 4866/** 4867 * smack_ismaclabel - check if xattr @name references a smack MAC label 4868 * @name: Full xattr name to check. 4869 */ 4870static int smack_ismaclabel(const char *name) 4871{ 4872 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4873} 4874 4875/** 4876 * smack_to_secctx - fill a lsm_context 4877 * @skp: Smack label 4878 * @cp: destination 4879 * 4880 * Fill the passed @cp and return the length of the string 4881 */ 4882static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4883{ 4884 int len = strlen(skp->smk_known); 4885 4886 if (cp) { 4887 cp->context = skp->smk_known; 4888 cp->len = len; 4889 cp->id = LSM_ID_SMACK; 4890 } 4891 return len; 4892} 4893 4894/** 4895 * smack_secid_to_secctx - return the smack label for a secid 4896 * @secid: incoming integer 4897 * @cp: destination 4898 * 4899 * Exists for networking code. 4900 */ 4901static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4902{ 4903 return smack_to_secctx(smack_from_secid(secid), cp); 4904} 4905 4906/** 4907 * smack_lsmprop_to_secctx - return the smack label 4908 * @prop: includes incoming Smack data 4909 * @cp: destination 4910 * 4911 * Exists for audit code. 4912 */ 4913static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4914 struct lsm_context *cp) 4915{ 4916 return smack_to_secctx(prop->smack.skp, cp); 4917} 4918 4919/** 4920 * smack_secctx_to_secid - return the secid for a smack label 4921 * @secdata: smack label 4922 * @seclen: how long result is 4923 * @secid: outgoing integer 4924 * 4925 * Exists for audit and networking code. 4926 */ 4927static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4928{ 4929 struct smack_known *skp = smk_find_entry(secdata); 4930 4931 if (skp) 4932 *secid = skp->smk_secid; 4933 else 4934 *secid = 0; 4935 return 0; 4936} 4937 4938/* 4939 * There used to be a smack_release_secctx hook 4940 * that did nothing back when hooks were in a vector. 4941 * Now that there's a list such a hook adds cost. 4942 */ 4943 4944static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4945{ 4946 /* 4947 * UDS inode has fixed label. Ignore nfs label. 4948 */ 4949 if (S_ISSOCK(inode->i_mode)) 4950 return 0; 4951 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4952 ctxlen, 0); 4953} 4954 4955static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4956{ 4957 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4958 ctx, ctxlen, 0, NULL); 4959} 4960 4961static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4962{ 4963 struct smack_known *skp = smk_of_inode(inode); 4964 4965 cp->context = skp->smk_known; 4966 cp->len = strlen(skp->smk_known); 4967 cp->id = LSM_ID_SMACK; 4968 return 0; 4969} 4970 4971static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4972{ 4973 4974 struct task_smack *tsp; 4975 struct smack_known *skp; 4976 struct inode_smack *isp; 4977 struct cred *new_creds = *new; 4978 4979 if (new_creds == NULL) { 4980 new_creds = prepare_creds(); 4981 if (new_creds == NULL) 4982 return -ENOMEM; 4983 } 4984 4985 tsp = smack_cred(new_creds); 4986 4987 /* 4988 * Get label from overlay inode and set it in create_sid 4989 */ 4990 isp = smack_inode(d_inode(dentry)); 4991 skp = isp->smk_inode; 4992 tsp->smk_task = skp; 4993 *new = new_creds; 4994 return 0; 4995} 4996 4997static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4998{ 4999 /* 5000 * Return -ECANCELED if this is the smack access Smack attribute. 5001 */ 5002 if (!strcmp(name, XATTR_NAME_SMACK)) 5003 return -ECANCELED; 5004 5005 return -EOPNOTSUPP; 5006} 5007 5008static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 5009 const struct qstr *name, 5010 const struct cred *old, 5011 struct cred *new) 5012{ 5013 struct task_smack *otsp = smack_cred(old); 5014 struct task_smack *ntsp = smack_cred(new); 5015 struct inode_smack *isp; 5016 5017 /* 5018 * Use the process credential unless all of 5019 * the transmuting criteria are met 5020 */ 5021 ntsp->smk_task = otsp->smk_task; 5022 5023 /* 5024 * the attribute of the containing directory 5025 */ 5026 isp = smack_inode(d_inode(dentry->d_parent)); 5027 5028 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 5029 /* 5030 * If the directory is transmuting and the rule 5031 * providing access is transmuting use the containing 5032 * directory label instead of the process label. 5033 */ 5034 if (smk_rule_transmutes(otsp->smk_task, isp->smk_inode)) { 5035 ntsp->smk_task = isp->smk_inode; 5036 ntsp->smk_transmuted = ntsp->smk_task; 5037 } 5038 } 5039 return 0; 5040} 5041 5042#ifdef CONFIG_IO_URING 5043/** 5044 * smack_uring_override_creds - Is io_uring cred override allowed? 5045 * @new: the target creds 5046 * 5047 * Check to see if the current task is allowed to override it's credentials 5048 * to service an io_uring operation. 5049 */ 5050static int smack_uring_override_creds(const struct cred *new) 5051{ 5052 struct task_smack *tsp = smack_cred(current_cred()); 5053 struct task_smack *nsp = smack_cred(new); 5054 5055 /* 5056 * Allow the degenerate case where the new Smack value is 5057 * the same as the current Smack value. 5058 */ 5059 if (tsp->smk_task == nsp->smk_task) 5060 return 0; 5061 5062 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 5063 return 0; 5064 5065 return -EPERM; 5066} 5067 5068/** 5069 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5070 * 5071 * Check to see if the current task is allowed to create a new io_uring 5072 * kernel polling thread. 5073 */ 5074static int smack_uring_sqpoll(void) 5075{ 5076 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5077 return 0; 5078 5079 return -EPERM; 5080} 5081 5082/** 5083 * smack_uring_cmd - check on file operations for io_uring 5084 * @ioucmd: the command in question 5085 * 5086 * Make a best guess about whether a io_uring "command" should 5087 * be allowed. Use the same logic used for determining if the 5088 * file could be opened for read in the absence of better criteria. 5089 */ 5090static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5091{ 5092 struct file *file = ioucmd->file; 5093 struct smk_audit_info ad; 5094 struct task_smack *tsp; 5095 struct inode *inode; 5096 int rc; 5097 5098 if (!file) 5099 return -EINVAL; 5100 5101 tsp = smack_cred(file->f_cred); 5102 inode = file_inode(file); 5103 5104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5105 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5106 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5107 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5108 5109 return rc; 5110} 5111 5112#endif /* CONFIG_IO_URING */ 5113 5114struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5115 .lbs_cred = sizeof(struct task_smack), 5116 .lbs_file = sizeof(struct smack_known *), 5117 .lbs_inode = sizeof(struct inode_smack), 5118 .lbs_ipc = sizeof(struct smack_known *), 5119 .lbs_key = sizeof(struct smack_known *), 5120 .lbs_msg_msg = sizeof(struct smack_known *), 5121 .lbs_sock = sizeof(struct socket_smack), 5122 .lbs_superblock = sizeof(struct superblock_smack), 5123 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5124}; 5125 5126static const struct lsm_id smack_lsmid = { 5127 .name = "smack", 5128 .id = LSM_ID_SMACK, 5129}; 5130 5131static struct security_hook_list smack_hooks[] __ro_after_init = { 5132 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5133 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5134 LSM_HOOK_INIT(syslog, smack_syslog), 5135 5136 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5137 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5138 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5139 5140 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5141 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5142 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5143 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5144 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5145 5146 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5147 5148 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5149 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5150 LSM_HOOK_INIT(inode_link, smack_inode_link), 5151 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5152 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5153 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5154 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5155 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5156 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5157 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5158 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5159 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5160 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5161 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5162 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5163 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5164 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5165 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5166 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5167 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5168 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5169 5170 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5171 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5172 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5173 LSM_HOOK_INIT(file_lock, smack_file_lock), 5174 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5175 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5176 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5177 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5178 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5179 LSM_HOOK_INIT(file_receive, smack_file_receive), 5180 5181 LSM_HOOK_INIT(file_open, smack_file_open), 5182 5183 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5184 LSM_HOOK_INIT(cred_free, smack_cred_free), 5185 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5186 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5187 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5188 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5189 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5190 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5191 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5192 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5193 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5194 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5195 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5196 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5197 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5198 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5199 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5200 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5201 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5202 LSM_HOOK_INIT(task_kill, smack_task_kill), 5203 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5204 5205 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5206 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5207 5208 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5209 5210 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5211 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5212 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5213 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5214 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5215 5216 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5217 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5218 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5219 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5220 5221 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5222 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5223 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5224 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5225 5226 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5227 5228 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5229 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5230 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5231 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5232 5233 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5234 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5235 5236 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5237 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5238#ifdef SMACK_IPV6_PORT_LABELING 5239 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5240#endif 5241 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5242 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5243 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5244 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5245 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5246 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5247#ifdef SMACK_IPV6_PORT_LABELING 5248 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5249#endif 5250 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5251 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5252 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5253 5254 /* key management security hooks */ 5255#ifdef CONFIG_KEYS 5256 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5257 LSM_HOOK_INIT(key_permission, smack_key_permission), 5258 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5259#ifdef CONFIG_KEY_NOTIFICATIONS 5260 LSM_HOOK_INIT(watch_key, smack_watch_key), 5261#endif 5262#endif /* CONFIG_KEYS */ 5263 5264#ifdef CONFIG_WATCH_QUEUE 5265 LSM_HOOK_INIT(post_notification, smack_post_notification), 5266#endif 5267 5268 /* Audit hooks */ 5269#ifdef CONFIG_AUDIT 5270 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5271 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5272 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5273#endif /* CONFIG_AUDIT */ 5274 5275 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5276 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5277 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5278 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5279 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5280 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5281 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5282 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5283 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5284 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5285#ifdef CONFIG_IO_URING 5286 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5287 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5288 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5289#endif 5290}; 5291 5292 5293static __init void init_smack_known_list(void) 5294{ 5295 /* 5296 * Initialize rule list locks 5297 */ 5298 mutex_init(&smack_known_huh.smk_rules_lock); 5299 mutex_init(&smack_known_hat.smk_rules_lock); 5300 mutex_init(&smack_known_floor.smk_rules_lock); 5301 mutex_init(&smack_known_star.smk_rules_lock); 5302 mutex_init(&smack_known_web.smk_rules_lock); 5303 /* 5304 * Initialize rule lists 5305 */ 5306 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5307 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5308 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5309 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5310 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5311 /* 5312 * Create the known labels list 5313 */ 5314 smk_insert_entry(&smack_known_huh); 5315 smk_insert_entry(&smack_known_hat); 5316 smk_insert_entry(&smack_known_star); 5317 smk_insert_entry(&smack_known_floor); 5318 smk_insert_entry(&smack_known_web); 5319} 5320 5321/** 5322 * smack_init - initialize the smack system 5323 * 5324 * Returns 0 on success, -ENOMEM is there's no memory 5325 */ 5326static __init int smack_init(void) 5327{ 5328 struct cred *cred = (struct cred *) current->cred; 5329 struct task_smack *tsp; 5330 5331 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5332 if (!smack_rule_cache) 5333 return -ENOMEM; 5334 5335 /* 5336 * Set the security state for the initial task. 5337 */ 5338 tsp = smack_cred(cred); 5339 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5340 5341 /* 5342 * Register with LSM 5343 */ 5344 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5345 smack_enabled = 1; 5346 5347 pr_info("Smack: Initializing.\n"); 5348#ifdef CONFIG_SECURITY_SMACK_NETFILTER 5349 pr_info("Smack: Netfilter enabled.\n"); 5350#endif 5351#ifdef SMACK_IPV6_PORT_LABELING 5352 pr_info("Smack: IPv6 port labeling enabled.\n"); 5353#endif 5354#ifdef SMACK_IPV6_SECMARK_LABELING 5355 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5356#endif 5357 5358 /* initialize the smack_known_list */ 5359 init_smack_known_list(); 5360 5361 /* Inform the audit system that secctx is used */ 5362 audit_cfg_lsm(&smack_lsmid, 5363 AUDIT_CFG_LSM_SECCTX_SUBJECT | 5364 AUDIT_CFG_LSM_SECCTX_OBJECT); 5365 5366 return 0; 5367} 5368 5369int __init smack_initcall(void) 5370{ 5371 int rc_fs = init_smk_fs(); 5372 int rc_nf = smack_nf_ip_init(); 5373 5374 return rc_fs ? rc_fs : rc_nf; 5375} 5376 5377/* 5378 * Smack requires early initialization in order to label 5379 * all processes and objects when they are created. 5380 */ 5381DEFINE_LSM(smack) = { 5382 .id = &smack_lsmid, 5383 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5384 .blobs = &smack_blob_sizes, 5385 .init = smack_init, 5386 .initcall_device = smack_initcall, 5387};